diff --git a/apis/supervisor/idp/v1alpha1/register.go.tmpl b/apis/supervisor/idp/v1alpha1/register.go.tmpl index 8829a8638..705be8076 100644 --- a/apis/supervisor/idp/v1alpha1/register.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/register.go.tmpl @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl b/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl index 1413a262c..49b49373c 100644 --- a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl +++ b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml index 97b542fe2..86c322e9a 100644 --- a/deploy/supervisor/rbac.yaml +++ b/deploy/supervisor/rbac.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") @@ -56,6 +56,14 @@ rules: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [activedirectoryidentityproviders/status] verbs: [get, patch, update] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + resources: [githubidentityproviders] + verbs: [get, list, watch] + - apiGroups: + - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + resources: [githubidentityproviders/status] + verbs: [get, patch, update] #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set #! as an owner reference. - apiGroups: [""] diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index f7a50a88d..889c0166b 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -1,4 +1,4 @@ -#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:overlay", "overlay") @@ -41,6 +41,15 @@ metadata: spec: group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") +#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"githubidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1 +--- +metadata: + #@overlay/match missing_ok=True + labels: #@ labels() + name: #@ pinnipedDevAPIGroupWithPrefix("githubidentityproviders.idp.supervisor") +spec: + group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") + #@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.config.supervisor.pinniped.dev"}}), expects=1 --- metadata: diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 677bd9552..0934d8d11 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/register.go b/generated/1.21/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.21/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..3d9c46a5f --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 0d38fc7b9..994384856 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..c75a77de3 --- /dev/null +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index d4492fdcf..284b93f25 100644 --- a/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -14,6 +14,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -27,6 +28,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.21/client/supervisor/informers/externalversions/generic.go b/generated/1.21/client/supervisor/informers/externalversions/generic.go index 64054d64b..72a954959 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.21/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..aaf4559eb --- /dev/null +++ b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 4bebcc71a..8c9ebb175 100644 --- a/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.21/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.21/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.21/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..fc0eb051b --- /dev/null +++ b/generated/1.21/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..44b5d6609 --- /dev/null +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,327 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index de663d43f..a90ba876c 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/register.go b/generated/1.22/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.22/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..15b3395ce --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 510424f40..e23712019 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..30b614779 --- /dev/null +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 297d8dd8e..c28811807 100644 --- a/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.22/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -14,6 +14,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -27,6 +28,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.22/client/supervisor/informers/externalversions/generic.go b/generated/1.22/client/supervisor/informers/externalversions/generic.go index 476951729..d1c595030 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.22/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..a480860fb --- /dev/null +++ b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 2ad60604b..c71d10967 100644 --- a/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.22/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.22/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.22/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..54bf48ac5 --- /dev/null +++ b/generated/1.22/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..44b5d6609 --- /dev/null +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,327 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index d542fc70c..f9d05ea77 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/register.go b/generated/1.23/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.23/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..0e91cb739 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 0ae4b8aa4..db75247da 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..8f954e7c5 --- /dev/null +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 0dbcbbe3a..141fd4a7f 100644 --- a/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.23/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.23/client/supervisor/informers/externalversions/generic.go b/generated/1.23/client/supervisor/informers/externalversions/generic.go index 985247778..4765b9eb0 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.23/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..b76d66c69 --- /dev/null +++ b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 554a4a059..37345b829 100644 --- a/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.23/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.23/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.23/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..233132422 --- /dev/null +++ b/generated/1.23/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 782f1cc2b..a785fa51d 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/register.go b/generated/1.24/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..d93e826c1 --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index c4da0d643..daa138783 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..2ee66b57f --- /dev/null +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 697a152c1..8a72bfb69 100644 --- a/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.24/client/supervisor/informers/externalversions/generic.go b/generated/1.24/client/supervisor/informers/externalversions/generic.go index 1a4058e49..2f28e5356 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.24/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..c38cf993b --- /dev/null +++ b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index b7cf724a6..32df7ee81 100644 --- a/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..b1364368a --- /dev/null +++ b/generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index cb137d202..34ea4dec9 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/register.go b/generated/1.25/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..45c58d6c9 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 0f1478ec2..b24e48b6b 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..38f338582 --- /dev/null +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 0b5b9aa4b..2ac25cfa4 100644 --- a/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.25/client/supervisor/informers/externalversions/generic.go b/generated/1.25/client/supervisor/informers/externalversions/generic.go index 0fed0e6a5..3f465b949 100644 --- a/generated/1.25/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.25/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..68089ae74 --- /dev/null +++ b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.25/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 61c46ea00..f25b7995f 100644 --- a/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..080cc4743 --- /dev/null +++ b/generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index 17170f767..575243c65 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/register.go b/generated/1.26/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..305fc8f53 --- /dev/null +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"} + +var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 9f99394f6..3af2f787b 100644 --- a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..c83e386e4 --- /dev/null +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index d6c8bd42b..a1e8d6ce3 100644 --- a/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.26/client/supervisor/informers/externalversions/generic.go b/generated/1.26/client/supervisor/informers/externalversions/generic.go index a9c2b1bc4..fa7dc1695 100644 --- a/generated/1.26/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.26/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..f86968424 --- /dev/null +++ b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.26/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.26/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 8edaafa4a..1c89e4b1d 100644 --- a/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..a11c30dc5 --- /dev/null +++ b/generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index 026512700..7454774e3 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/register.go b/generated/1.27/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..0f5fc1d90 --- /dev/null +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index a40338a69..f29ec9e31 100644 --- a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..e56865cd4 --- /dev/null +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.27/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index c9eec1efd..48afb2a22 100644 --- a/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.27/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.27/client/supervisor/informers/externalversions/generic.go b/generated/1.27/client/supervisor/informers/externalversions/generic.go index 535476ff3..72a959fb9 100644 --- a/generated/1.27/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.27/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..b65004f2c --- /dev/null +++ b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.27/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.27/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.27/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 1dd455411..3466abdd5 100644 --- a/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.27/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.27/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.27/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.27/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..8cb38e379 --- /dev/null +++ b/generated/1.27/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.27/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.28/README.adoc b/generated/1.28/README.adoc index 9f6f45886..c51bb6de6 100644 --- a/generated/1.28/README.adoc +++ b/generated/1.28/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/register.go b/generated/1.28/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..fa7edc00e --- /dev/null +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index ba8d3172b..739569ea5 100644 --- a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..6fc738ddb --- /dev/null +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.28/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 270c3aa75..88e24b3b7 100644 --- a/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.28/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.28/client/supervisor/informers/externalversions/generic.go b/generated/1.28/client/supervisor/informers/externalversions/generic.go index 424728ebf..942d4fcfd 100644 --- a/generated/1.28/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.28/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..adf752384 --- /dev/null +++ b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.28/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.28/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.28/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index a46748908..b3649bb66 100644 --- a/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.28/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.28/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.28/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.28/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..fafffc48b --- /dev/null +++ b/generated/1.28/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.28/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/1.29/README.adoc b/generated/1.29/README.adoc index dbecc10cf..ea7d33f67 100644 --- a/generated/1.29/README.adoc +++ b/generated/1.29/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/register.go b/generated/1.29/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/1.29/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..67b4c883a --- /dev/null +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index b171331a5..683018c4a 100644 --- a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..6bb834703 --- /dev/null +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.29/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 1146d0dc1..f84063db4 100644 --- a/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/1.29/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/1.29/client/supervisor/informers/externalversions/generic.go b/generated/1.29/client/supervisor/informers/externalversions/generic.go index 7f6c3edfe..eaa915525 100644 --- a/generated/1.29/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.29/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..b0b233421 --- /dev/null +++ b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.29/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.29/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.29/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 8e6ee3f4b..39eece260 100644 --- a/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/1.29/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/1.29/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/1.29/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/1.29/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..63a6fcec7 --- /dev/null +++ b/generated/1.29/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.29/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml new file mode 100644 index 000000000..12b9a807f --- /dev/null +++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -0,0 +1,321 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: githubidentityproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: GitHubIdentityProvider + listKind: GitHubIdentityProviderList + plural: githubidentityproviders + singular: githubidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.githubAPI.host + name: Host + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. + This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + + + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured + as OIDCClients. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + allowAuthentication: + description: AllowAuthentication allows customization of who can authenticate + using this IDP and how. + properties: + organizations: + description: Organizations allows customization of which organizations + can authenticate using this IDP. + properties: + allowed: + description: |- + Allowed, when specified, indicates that only users with membership in at least one of the listed + GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + + The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + within that organization. + + + If no organizations are listed, you must set organizations: AllGitHubUsers. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + policy: + default: OnlyUsersFromAllowedOrganizations + description: |- + Policy must be set to "AllGitHubUsers" if allowed is empty. + + + This field only exists to ensure that Pinniped administrators are aware that an empty list of + allowedOrganizations means all GitHub users are allowed to log in. + enum: + - OnlyUsersFromAllowedOrganizations + - AllGitHubUsers + type: string + type: object + x-kubernetes-validations: + - message: spec.allowAuthentication.organizations.policy must + be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed + has organizations listed + rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy + == ''AllGitHubUsers'')' + - message: spec.allowAuthentication.organizations.policy must + be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed + is empty + rule: '!((!has(self.allowed) || size(self.allowed) == 0) && + self.policy == ''OnlyUsersFromAllowedOrganizations'')' + required: + - organizations + type: object + claims: + description: Claims allows customization of the username and groups + claims. + properties: + groups: + default: slug + description: |- + Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + + Can be either "name" or "slug". Defaults to "slug". + + + GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + + GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + + Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + the team name or slug. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these group names are presented to Kubernetes. + + + See the response schema for + [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + enum: + - name + - slug + type: string + username: + default: login:id + description: |- + Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + + Can be either "id", "login", or "login:id". Defaults to "login:id". + + + GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + and may not start or end with hyphens. GitHub users are allowed to change their login name, + although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + then a second user might change their name from "baz" to "foo" in order to take the old + username of the first user. For this reason, it is not as safe to make authorization decisions + based only on the user's login attribute. + + + If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + FederationDomain to further customize how these usernames are presented to Kubernetes. + + + Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + choice to concatenate the two values. + + + See the response schema for + [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + enum: + - id + - login + - login:id + type: string + type: object + client: + description: Client identifies the secret with credentials for a GitHub + App or GitHub OAuth2 App (a GitHub client). + properties: + secretName: + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an GitHub App or GitHub OAuth2 client. + + + This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + minLength: 1 + type: string + required: + - secretName + type: object + githubAPI: + default: {} + description: GitHubAPI allows configuration for GitHub Enterprise + Server + properties: + host: + default: github.com + description: |- + Host is required only for GitHub Enterprise Server. + Defaults to using GitHub's public API (github.com). + Do not specify a protocol or scheme since 'https://' will always be used. + minLength: 1 + type: string + tls: + description: TLS configuration for GitHub Enterprise Server. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). If omitted, a default set of system roots will + be trusted. + type: string + type: object + type: object + required: + - allowAuthentication + - client + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Conditions represents the observations of an identity + provider's current state. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the GitHubIdentityProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/generated/latest/README.adoc b/generated/latest/README.adoc index dbecc10cf..ea7d33f67 100644 --- a/generated/latest/README.adoc +++ b/generated/latest/README.adoc @@ -1379,6 +1379,233 @@ Status of an Active Directory identity provider. |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig"] +==== GitHubAPIConfig + +GitHubAPIConfig allows configuration for GitHub Enterprise Server + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API (github.com). Do not specify a protocol or scheme since 'https://' will always be used. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"] +==== GitHubAllowAuthenticationSpec + +GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"] +==== GitHubAllowedAuthOrganizationsPolicy (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims"] +==== GitHubClaims + +GitHubClaims allows customization of the username and groups claims. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. + + +Can be either "id", "login", or "login:id". Defaults to "login:id". + + +GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. + + +Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. + + +See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + + +Can be either "name" or "slug". Defaults to "slug". + + +GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + + +GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + + +Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. + + +If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. + + +See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec"] +==== GitHubClientSpec + +GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. + + +This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"] +==== GitHubGroupNameAttribute (string) + +GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider"] +==== GitHubIdentityProvider + +GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. + Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"] +==== GitHubIdentityProviderPhase (string) + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$] +**** + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"] +==== GitHubIdentityProviderSpec + +GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"] +==== GitHubIdentityProviderStatus + +GitHubIdentityProviderStatus is the status of an GitHub identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec"] +==== GitHubOrganizationsSpec + + + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. + + +This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in. +| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + + +The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. + + +If no organizations are listed, you must set organizations: AllGitHubUsers. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute"] +==== GitHubUsernameAttribute (string) + +GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$] +**** + + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityprovider"] ==== LDAPIdentityProvider @@ -1699,11 +1926,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request. [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec"] ==== TLSSpec -Configuration for TLS parameters related to identity provider integration. +TLSSpec provides TLS configuration for identity provider integration. .Appears In: **** - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$] +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$] - xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$] **** diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/register.go b/generated/latest/apis/supervisor/idp/v1alpha1/register.go index 8829a8638..705be8076 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/register.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/register.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &LDAPIdentityProviderList{}, &ActiveDirectoryIdentityProvider{}, &ActiveDirectoryIdentityProviderList{}, + &GitHubIdentityProvider{}, + &GitHubIdentityProviderList{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go new file mode 100644 index 000000000..85498a70e --- /dev/null +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go @@ -0,0 +1,252 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type GitHubIdentityProviderPhase string + +const ( + // GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources. + GitHubPhasePending GitHubIdentityProviderPhase = "Pending" + + // GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state. + GitHubPhaseReady GitHubIdentityProviderPhase = "Ready" + + // GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state. + GitHubPhaseError GitHubIdentityProviderPhase = "Error" +) + +type GitHubAllowedAuthOrganizationsPolicy string + +const ( + // GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity + // provider, regardless of their organization membership or lack thereof. + GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers" + + // GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in + // the listed GitHub organizations are allowed to log in. + GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations" +) + +// GitHubIdentityProviderStatus is the status of an GitHub identity provider. +type GitHubIdentityProviderStatus struct { + // Phase summarizes the overall status of the GitHubIdentityProvider. + // + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase GitHubIdentityProviderPhase `json:"phase,omitempty"` + + // Conditions represents the observations of an identity provider's current state. + // + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// GitHubAPIConfig allows configuration for GitHub Enterprise Server +type GitHubAPIConfig struct { + // Host is required only for GitHub Enterprise Server. + // Defaults to using GitHub's public API (github.com). + // Do not specify a protocol or scheme since 'https://' will always be used. + // + // +kubebuilder:default="github.com" + // +kubebuilder:validation:MinLength=1 + // +optional + Host *string `json:"host"` + + // TLS configuration for GitHub Enterprise Server. + // + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present +// to Kubernetes. See the response schema for +// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +type GitHubUsernameAttribute string + +const ( + // GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes. + GitHubUsernameID GitHubUsernameAttribute = "id" + + // GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes. + GitHubUsernameLogin GitHubUsernameAttribute = "login" + + // GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the + // username to present to Kubernetes, separated by a colon. Example: "my-login:1234" + GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id" +) + +// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group +// names to present to Kubernetes. See the response schema for +// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +type GitHubGroupNameAttribute string + +const ( + // GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes. + GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name" + + // GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes. + GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug" +) + +// GitHubClaims allows customization of the username and groups claims. +type GitHubClaims struct { + // Username configures which property of the GitHub user record shall determine the username in Kubernetes. + // + // Can be either "id", "login", or "login:id". Defaults to "login:id". + // + // GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, + // and may not start or end with hyphens. GitHub users are allowed to change their login name, + // although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", + // then a second user might change their name from "baz" to "foo" in order to take the old + // username of the first user. For this reason, it is not as safe to make authorization decisions + // based only on the user's login attribute. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these usernames are presented to Kubernetes. + // + // Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and + // unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value + // from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable + // choice to concatenate the two values. + // + // See the response schema for + // [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). + // + // +kubebuilder:default="login:id" + // +kubebuilder:validation:Enum={"id","login","login:id"} + // +optional + Username *GitHubUsernameAttribute `json:"username"` + + // Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. + // + // Can be either "name" or "slug". Defaults to "slug". + // + // GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). + // + // GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). + // + // Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a + // forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters + // or single hyphens, so the first forward slash `/` will be the separator between the organization login name and + // the team name or slug. + // + // If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's + // FederationDomain to further customize how these group names are presented to Kubernetes. + // + // See the response schema for + // [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). + // + // +kubebuilder:default=slug + // +kubebuilder:validation:Enum=name;slug + // +optional + Groups *GitHubGroupNameAttribute `json:"groups"` +} + +// GitHubClientSpec contains information about the GitHub client that this identity provider will use +// for web-based login flows. +type GitHubClientSpec struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an GitHub App or GitHub OAuth2 client. + // + // This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName"` +} + +type GitHubOrganizationsSpec struct { + // Policy must be set to "AllGitHubUsers" if allowed is empty. + // + // This field only exists to ensure that Pinniped administrators are aware that an empty list of + // allowedOrganizations means all GitHub users are allowed to log in. + // + // +kubebuilder:default=OnlyUsersFromAllowedOrganizations + // +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers + // +optional + Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"` + + // Allowed, when specified, indicates that only users with membership in at least one of the listed + // GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include + // teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be + // provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. + // + // The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, + // otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams + // within that organization. + // + // If no organizations are listed, you must set organizations: AllGitHubUsers. + // + // +kubebuilder:validation:MaxItems=64 + // +listType=set + // +optional + Allowed []string `json:"allowed,omitempty"` +} + +// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how. +type GitHubAllowAuthenticationSpec struct { + // Organizations allows customization of which organizations can authenticate using this IDP. + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')" + // +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')" + Organizations GitHubOrganizationsSpec `json:"organizations"` +} + +// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider. +type GitHubIdentityProviderSpec struct { + // GitHubAPI allows configuration for GitHub Enterprise Server + // + // +kubebuilder:default={} + GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"` + + // Claims allows customization of the username and groups claims. + // + // +optional + Claims GitHubClaims `json:"claims,omitempty"` + + // AllowAuthentication allows customization of who can authenticate using this IDP and how. + AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"` + + // Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). + Client GitHubClientSpec `json:"client"` +} + +// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. +// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App. +// +// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured +// as OIDCClients. +// +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type GitHubIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec GitHubIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status GitHubIdentityProviderStatus `json:"status,omitempty"` +} + +// GitHubIdentityProviderList lists GitHubIdentityProvider objects. +// +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type GitHubIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []GitHubIdentityProvider `json:"items"` +} diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go index 1413a262c..49b49373c 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go @@ -1,9 +1,9 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 -// Configuration for TLS parameters related to identity provider integration. +// TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index b0cb168b5..e48860e82 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { + *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(string) + **out = **in + } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig. +func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig { + if in == nil { + return nil + } + out := new(GitHubAPIConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) { + *out = *in + in.Organizations.DeepCopyInto(&out.Organizations) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec. +func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec { + if in == nil { + return nil + } + out := new(GitHubAllowAuthenticationSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) { + *out = *in + if in.Username != nil { + in, out := &in.Username, &out.Username + *out = new(GitHubUsernameAttribute) + **out = **in + } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = new(GitHubGroupNameAttribute) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims. +func (in *GitHubClaims) DeepCopy() *GitHubClaims { + if in == nil { + return nil + } + out := new(GitHubClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec. +func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec { + if in == nil { + return nil + } + out := new(GitHubClientSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider. +func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider { + if in == nil { + return nil + } + out := new(GitHubIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]GitHubIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList. +func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) { + *out = *in + in.GitHubAPI.DeepCopyInto(&out.GitHubAPI) + in.Claims.DeepCopyInto(&out.Claims) + in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication) + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec. +func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]v1.Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus. +func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus { + if in == nil { + return nil + } + out := new(GitHubIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) { + *out = *in + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(GitHubAllowedAuthOrganizationsPolicy) + **out = **in + } + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec. +func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec { + if in == nil { + return nil + } + out := new(GitHubOrganizationsSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) { *out = *in diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go new file mode 100644 index 000000000..92a26af6b --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go @@ -0,0 +1,128 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface +type FakeGitHubIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders") + +var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider") + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.GitHubIdentityProvider), err +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go index 4c12669cb..66ac8e979 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a return &FakeActiveDirectoryIdentityProviders{c, namespace} } +func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface { + return &FakeGitHubIdentityProviders{c, namespace} +} + func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface { return &FakeLDAPIdentityProviders{c, namespace} } diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go index 79be098d6..a7acc8120 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -7,6 +7,8 @@ package v1alpha1 type ActiveDirectoryIdentityProviderExpansion interface{} +type GitHubIdentityProviderExpansion interface{} + type LDAPIdentityProviderExpansion interface{} type OIDCIdentityProviderExpansion interface{} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..1fdb60270 --- /dev/null +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface. +// A group's client should implement this interface. +type GitHubIdentityProvidersGetter interface { + GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface +} + +// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources. +type GitHubIdentityProviderInterface interface { + Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) + GitHubIdentityProviderExpansion +} + +// gitHubIdentityProviders implements GitHubIdentityProviderInterface +type gitHubIdentityProviders struct { + client rest.Interface + ns string +} + +// newGitHubIdentityProviders returns a GitHubIdentityProviders +func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders { + return &gitHubIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any. +func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors. +func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.GitHubIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders. +func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any. +func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(gitHubIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(gitHubIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs. +func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("githubidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched gitHubIdentityProvider. +func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) { + result = &v1alpha1.GitHubIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("githubidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go index 92f07c525..f97dc2b57 100644 --- a/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go +++ b/generated/latest/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -16,6 +16,7 @@ import ( type IDPV1alpha1Interface interface { RESTClient() rest.Interface ActiveDirectoryIdentityProvidersGetter + GitHubIdentityProvidersGetter LDAPIdentityProvidersGetter OIDCIdentityProvidersGetter } @@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A return newActiveDirectoryIdentityProviders(c, namespace) } +func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface { + return newGitHubIdentityProviders(c, namespace) +} + func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface { return newLDAPIdentityProviders(c, namespace) } diff --git a/generated/latest/client/supervisor/informers/externalversions/generic.go b/generated/latest/client/supervisor/informers/externalversions/generic.go index 1a0ceca9d..ac9a51d09 100644 --- a/generated/latest/client/supervisor/informers/externalversions/generic.go +++ b/generated/latest/client/supervisor/informers/externalversions/generic.go @@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil + case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"): diff --git a/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..1fed31c5e --- /dev/null +++ b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/latest/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderInformer provides access to a shared informer and lister for +// GitHubIdentityProviders. +type GitHubIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.GitHubIdentityProviderLister +} + +type gitHubIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.GitHubIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer) +} + +func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister { + return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go index 60166e32e..aad59963b 100644 --- a/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go +++ b/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -13,6 +13,8 @@ import ( type Interface interface { // ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer. ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer + // GitHubIdentityProviders returns a GitHubIdentityProviderInformer. + GitHubIdentityProviders() GitHubIdentityProviderInformer // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. LDAPIdentityProviders() LDAPIdentityProviderInformer // OIDCIdentityProviders returns a OIDCIdentityProviderInformer. @@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} } +// GitHubIdentityProviders returns a GitHubIdentityProviderInformer. +func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer { + return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} + // LDAPIdentityProviders returns a LDAPIdentityProviderInformer. func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer { return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go index b491a9e8d..470c06abb 100644 --- a/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go +++ b/generated/latest/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{} // ActiveDirectoryIdentityProviderNamespaceLister. type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{} +// GitHubIdentityProviderListerExpansion allows custom methods to be added to +// GitHubIdentityProviderLister. +type GitHubIdentityProviderListerExpansion interface{} + +// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// GitHubIdentityProviderNamespaceLister. +type GitHubIdentityProviderNamespaceListerExpansion interface{} + // LDAPIdentityProviderListerExpansion allows custom methods to be added to // LDAPIdentityProviderLister. type LDAPIdentityProviderListerExpansion interface{} diff --git a/generated/latest/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go b/generated/latest/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go new file mode 100644 index 000000000..51564bc9a --- /dev/null +++ b/generated/latest/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// GitHubIdentityProviderLister helps list GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderLister interface { + // List lists all GitHubIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. + GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister + GitHubIdentityProviderListerExpansion +} + +// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface. +type gitHubIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister. +func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister { + return &gitHubIdentityProviderLister{indexer: indexer} +} + +// List lists all GitHubIdentityProviders in the indexer. +func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders. +func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister { + return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders. +// All objects returned here must be treated as read-only. +type GitHubIdentityProviderNamespaceLister interface { + // List lists all GitHubIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) + // Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.GitHubIdentityProvider, error) + GitHubIdentityProviderNamespaceListerExpansion +} + +// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister +// interface. +type gitHubIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all GitHubIdentityProviders in the indexer for a given namespace. +func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name. +func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name) + } + return obj.(*v1alpha1.GitHubIdentityProvider), nil +} diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index 327c31a45..a6fc263bb 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -248,6 +248,20 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr Kind: "ActiveDirectoryIdentityProvider", Verbs: []string{"get", "patch", "update"}, }, + { + Name: "githubidentityproviders", + SingularName: "githubidentityprovider", + Namespaced: true, + Kind: "GitHubIdentityProvider", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + Categories: []string{"pinniped", "pinniped-idp", "pinniped-idps"}, + }, + { + Name: "githubidentityproviders/status", + Namespaced: true, + Kind: "GitHubIdentityProvider", + Verbs: []string{"get", "patch", "update"}, + }, }, }, }, @@ -438,7 +452,7 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr } // manually update this value whenever you add additional fields to an API resource and then run the generator - totalExpectedAPIFields := 261 + totalExpectedAPIFields := 287 // Because we are parsing text from `kubectl explain` and because the format of that text can change // over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all @@ -579,6 +593,13 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, }, + addSuffix("githubidentityproviders.idp.supervisor"): { + "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ + {Name: "Host", Type: "string", JSONPath: ".spec.githubAPI.host"}, + {Name: "Status", Type: "string", JSONPath: ".status.phase"}, + {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, + }, + }, addSuffix("oidcclients.config.supervisor"): { "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ {Name: "Privileged Scopes", Type: "string", JSONPath: `.spec.allowedScopes[?(@ == "pinniped:request-audience")]`}, @@ -589,8 +610,20 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { }, } - actualPinnipedCRDCount := 0 - expectedPinnipedCRDCount := 8 // the current number of CRDs that we ship as part of Pinniped + // the current CRDs that we ship as part of Pinniped + expectedPinnipedCRDNames := []string{ + "activedirectoryidentityproviders.idp.supervisor." + env.APIGroupSuffix, + "credentialissuers.config.concierge." + env.APIGroupSuffix, + "federationdomains.config.supervisor." + env.APIGroupSuffix, + "githubidentityproviders.idp.supervisor." + env.APIGroupSuffix, + "jwtauthenticators.authentication.concierge." + env.APIGroupSuffix, + "ldapidentityproviders.idp.supervisor." + env.APIGroupSuffix, + "oidcclients.config.supervisor." + env.APIGroupSuffix, + "oidcidentityproviders.idp.supervisor." + env.APIGroupSuffix, + "webhookauthenticators.authentication.concierge." + env.APIGroupSuffix, + } + + actualPinnipedCRDNames := make([]string, 0) for _, crd := range crdList.Items { if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) { @@ -598,7 +631,7 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { } // Found a Pinniped CRD, so let's check it for AdditionalPrinterColumns. - actualPinnipedCRDCount++ + actualPinnipedCRDNames = append(actualPinnipedCRDNames, crd.Name) for _, version := range crd.Spec.Versions { expectedColumns, ok := expectedColumnsPerCRDVersion[crd.Name][version.Name] @@ -612,7 +645,7 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { } // Make sure that the logic of this test did not accidentally skip a CRD that it should have interrogated. - require.Equal(t, expectedPinnipedCRDCount, actualPinnipedCRDCount, + require.ElementsMatch(t, expectedPinnipedCRDNames, actualPinnipedCRDNames, "did not find expected number of Pinniped CRDs to check for additionalPrinterColumns") } diff --git a/test/integration/supervisor_github_idp_test.go b/test/integration/supervisor_github_idp_test.go new file mode 100644 index 000000000..3326bf695 --- /dev/null +++ b/test/integration/supervisor_github_idp_test.go @@ -0,0 +1,307 @@ +// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package integration + +import ( + "context" + "encoding/base64" + "fmt" + "testing" + "time" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" + + idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" + "go.pinniped.dev/internal/testutil" + + "go.pinniped.dev/test/testlib" +) + +func TestGitHubIDPStaticValidationOnCreate_Parallel(t *testing.T) { + adminClient := testlib.NewKubernetesClientset(t) + + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) + t.Cleanup(cancel) + + namespaceClient := adminClient.CoreV1().Namespaces() + skipCELTests := !testutil.KubeServerMinorVersionAtLeastInclusive(t, adminClient.Discovery(), 26) + + ns, err := namespaceClient.Create(ctx, &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "test-github-idp-", + }, + }, metav1.CreateOptions{}) + require.NoError(t, err) + + t.Cleanup(func() { + require.NoError(t, namespaceClient.Delete(ctx, ns.Name, metav1.DeleteOptions{})) + }) + + gitHubIDPClient := testlib.NewSupervisorClientset(t).IDPV1alpha1().GitHubIdentityProviders(ns.Name) + + tests := []struct { + name string + inputSpec idpv1alpha1.GitHubIdentityProviderSpec + expectedSpec idpv1alpha1.GitHubIdentityProviderSpec + usesCELValidation bool + expectedErr string + }{ + { + name: "all fields set", + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ + Host: ptr.To("some-host.example.com"), + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityData: func() string { + return base64.StdEncoding.EncodeToString([]byte("-----BEGIN CERTIFICATE-----\ndata goes here")) + }(), + }, + }, + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Allowed: []string{ + "org1", + "that-other-org", + }, + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), + }, + }, + Claims: idpv1alpha1.GitHubClaims{ + Username: ptr.To(idpv1alpha1.GitHubUsernameLoginAndID), + Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName), + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "any-name-goes-here", + }, + }, + expectedSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ + Host: ptr.To("some-host.example.com"), + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityData: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmRhdGEgZ29lcyBoZXJl", + }, + }, + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Allowed: []string{ + "org1", + "that-other-org", + }, + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), + }, + }, + Claims: idpv1alpha1.GitHubClaims{ + Username: ptr.To(idpv1alpha1.GitHubUsernameLoginAndID), + Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName), + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "any-name-goes-here", + }, + }, + }, + { + name: "minimum fields set - inherit defaults", + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), + }, + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + expectedSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ + Host: ptr.To("github.com"), + }, + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), + }, + }, + Claims: idpv1alpha1.GitHubClaims{ + Username: ptr.To(idpv1alpha1.GitHubUsernameLoginAndID), + Groups: ptr.To(idpv1alpha1.GitHubUseTeamSlugForGroupName), + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + }, + { + name: fmt.Sprintf( + "cannot set AllowedOrganizationsPolicy=%s and set AllowedOrganizations", + string(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers)), + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Allowed: []string{ + "some-org", + }, + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), + }, + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + usesCELValidation: true, + expectedErr: "spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed", + }, + { + name: fmt.Sprintf("spec.allowAuthentication.organizations.policy must be '%s' when spec.allowAuthentication.organizations.allowed is empty (nil)", string(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers)), + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), + }, + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + usesCELValidation: true, + expectedErr: "spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty", + }, + { + name: fmt.Sprintf("spec.allowAuthentication.organizations.policy must be '%s' when spec.allowAuthentication.organizations.allowed is empty", string(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers)), + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Allowed: []string{}, + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), + }, + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + usesCELValidation: true, + expectedErr: "spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty", + }, + { + name: "spec.client.secretName in body should be at least 1 chars long", + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{}, + expectedErr: "spec.client.secretName in body should be at least 1 chars long", + }, + { + name: "spec.githubAPI.host in body should be at least 1 chars long", + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + GitHubAPI: idpv1alpha1.GitHubAPIConfig{ + Host: ptr.To(""), + }, + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers), + }, + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + expectedErr: "spec.githubAPI.host in body should be at least 1 chars long", + }, + { + name: "duplicates not permitted in spec.allowAuthentication.organizations.allowed", + inputSpec: idpv1alpha1.GitHubIdentityProviderSpec{ + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Allowed: []string{ + "org1", + "org1", + }, + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), + }, + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + expectedErr: `spec.allowAuthentication.organizations.allowed[1]: Duplicate value: "org1"`, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + if tt.usesCELValidation && skipCELTests { + t.Skip("CEL is not available for current K8s version") + } + + input := &idpv1alpha1.GitHubIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "integration-test-", + }, + Spec: tt.inputSpec, + } + + outputGitHubIDP, err := gitHubIDPClient.Create(ctx, input, metav1.CreateOptions{}) + if tt.expectedErr == "" { + require.NoError(t, err) + require.Equal(t, tt.expectedSpec, outputGitHubIDP.Spec) + } else { + require.ErrorContains(t, err, tt.expectedErr) + } + }) + } +} + +func TestGitHubIDPTooManyOrganizationsStaticValidationOnCreate_Parallel(t *testing.T) { + adminClient := testlib.NewKubernetesClientset(t) + + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) + t.Cleanup(cancel) + + namespaceClient := adminClient.CoreV1().Namespaces() + + ns, err := namespaceClient.Create(ctx, &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "test-github-idp-", + }, + }, metav1.CreateOptions{}) + require.NoError(t, err) + + t.Cleanup(func() { + require.NoError(t, namespaceClient.Delete(ctx, ns.Name, metav1.DeleteOptions{})) + }) + + gitHubIDPClient := testlib.NewSupervisorClientset(t).IDPV1alpha1().GitHubIdentityProviders(ns.Name) + + input := &idpv1alpha1.GitHubIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "integration-test-", + }, + Spec: idpv1alpha1.GitHubIdentityProviderSpec{ + AllowAuthentication: idpv1alpha1.GitHubAllowAuthenticationSpec{ + Organizations: idpv1alpha1.GitHubOrganizationsSpec{ + Allowed: func() []string { + var orgs []string + for i := 0; i < 100; i++ { + orgs = append(orgs, fmt.Sprintf("org-%d", i)) + } + return orgs + }(), + Policy: ptr.To(idpv1alpha1.GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations), + }, + }, + Client: idpv1alpha1.GitHubClientSpec{ + SecretName: "name-of-a-secret", + }, + }, + } + + _, err = gitHubIDPClient.Create(ctx, input, metav1.CreateOptions{}) + + expectedErr := "spec.allowAuthentication.organizations.allowed: Invalid value: 100: spec.allowAuthentication.organizations.allowed in body should have at most 64 items" + if testutil.KubeServerMinorVersionAtLeastInclusive(t, adminClient.Discovery(), 24) { + expectedErr = "spec.allowAuthentication.organizations.allowed: Too many: 100: must have at most 64 items" + } + + require.ErrorContains(t, err, expectedErr) +}