FederationDomain.spec.issuer must now be an HTTPS URL

2026-01-04 12:14:24 +00:00 · 2024-12-26 14:25:07 -06:00
parent cc1befbc57
commit 430c73b903
19 changed files with 113 additions and 44 deletions
--- a/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
+++ b/apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/1.25/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.25/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/1.26/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.26/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/1.27/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.27/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/1.28/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.28/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/1.29/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.29/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/generated/1.29/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.29/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/1.30/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.30/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/generated/1.30/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.30/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/1.31/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/1.31/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/generated/1.31/crds/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/generated/1.31/crds/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -289,6 +289,9 @@ spec:
                  https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
                minLength: 1
                type: string
+                x-kubernetes-validations:
+                - message: issuer must be an HTTPS URL
+                  rule: isURL(self) && url(self).getScheme() == 'https'
              tls:
                description: TLS specifies a secret which will contain Transport Layer
                  Security (TLS) configuration for the FederationDomain.
--- a/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go
+++ b/generated/latest/apis/supervisor/config/v1alpha1/types_federationdomain.go
@@ -209,6 +209,7 @@ type FederationDomainSpec struct {
 	// See
 	// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
 	Issuer string `json:"issuer"`

 	// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.
--- a/test/integration/supervisor_federationdomain_status_test.go
+++ b/test/integration/supervisor_federationdomain_status_test.go
@@ -567,12 +567,15 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 	usingKubeVersionInCluster24Through31Inclusive := testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 24, 31)
 	usingKubeVersionInCluster32OrNewer := !usingKubeVersionInCluster23OrOlder && !usingKubeVersionInCluster24Through31Inclusive

+	performCELTests := testutil.KubeServerMinorVersionAtLeastInclusive(t, adminClient.Discovery(), 27)
+
 	objectMeta := testlib.ObjectMetaWithRandomName(t, "federation-domain")

 	tests := []struct {
 		name        string
 		fd          *supervisorconfigv1alpha1.FederationDomain
 		wantErrs    []string
+		wantCELErrs []string

 		// optionally override wantErr for one or more specific versions of Kube, due to changing validation error text
 		wantKube23OrOlderErrs            []string
@@ -588,6 +591,27 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 				},
 			},
 			wantErrs:    []string{`spec.issuer: Invalid value: "": spec.issuer in body should be at least 1 chars long`},
+			wantCELErrs: []string{`spec.issuer: Invalid value: "string": issuer must be an HTTPS URL`},
+		},
+		{
+			name: "issuer must be a URL",
+			fd: &supervisorconfigv1alpha1.FederationDomain{
+				ObjectMeta: objectMeta,
+				Spec: supervisorconfigv1alpha1.FederationDomainSpec{
+					Issuer: "foo",
+				},
+			},
+			wantCELErrs: []string{`spec.issuer: Invalid value: "string": issuer must be an HTTPS URL`},
+		},
+		{
+			name: "issuer URL scheme must be 'https'",
+			fd: &supervisorconfigv1alpha1.FederationDomain{
+				ObjectMeta: objectMeta,
+				Spec: supervisorconfigv1alpha1.FederationDomainSpec{
+					Issuer: "http://example.com",
+				},
+			},
+			wantCELErrs: []string{`spec.issuer: Invalid value: "string": issuer must be an HTTPS URL`},
 		},
 		{
 			name: "IDP display names cannot be empty",
@@ -678,6 +702,7 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 			wantKube23OrOlderErrs:            []string{`spec.identityProviders.transforms.constants.name: Invalid value: "12345678901234567890123456789012345678901234567890123456789012345": spec.identityProviders.transforms.constants.name in body should be at most 64 chars long`},
 			wantKube24Through31InclusiveErrs: []string{`spec.identityProviders[0].transforms.constants[0].name: Too long: may not be longer than 64`},
 			wantKube32OrNewerErrs:            []string{`spec.identityProviders[0].transforms.constants[0].name: Too long: may not be more than 64 bytes`},
+			wantCELErrs:                      []string{`<nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation`},
 		},
 		{
 			name: "IDP transform constant names must be a legal CEL variable name",
@@ -734,6 +759,7 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 				},
 			},
 			wantErrs:    []string{`spec.identityProviders[0].transforms.constants[0].type: Unsupported value: "this is invalid": supported values: "string", "stringList"`},
+			wantCELErrs: []string{`<nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation`},
 		},
 		{
 			name: "IDP transform expression types must be one of the allowed enum strings",
@@ -760,6 +786,7 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 				},
 			},
 			wantErrs:    []string{`spec.identityProviders[0].transforms.expressions[0].type: Unsupported value: "this is invalid": supported values: "policy/v1", "username/v1", "groups/v1"`},
+			wantCELErrs: []string{`<nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation`},
 		},
 		{
 			name: "IDP transform expressions cannot be empty",
@@ -883,10 +910,12 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 				require.Fail(t, "test setup problem: wanted every possible kind of error, which would cause tt.wantErr to be unused")
 			}

-			if len(tt.wantErrs) == 0 && len(tt.wantKube23OrOlderErrs) == 0 && len(tt.wantKube24Through31InclusiveErrs) == 0 && len(tt.wantKube32OrNewerErrs) == 0 { //nolint:nestif
+			if len(tt.wantErrs) == 0 && len(tt.wantCELErrs) == 0 && len(tt.wantKube23OrOlderErrs) == 0 && len(tt.wantKube24Through31InclusiveErrs) == 0 && len(tt.wantKube32OrNewerErrs) == 0 {
 				// Did not want any error.
 				require.NoError(t, actualCreateErr)
-			} else {
+				return
+			}
+
 			wantErr := tt.wantErrs
 			if usingKubeVersionInCluster23OrOlder {
 				// Old versions of Kubernetes did not show the index where the error occurred in some of the messages,
@@ -914,6 +943,14 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 				wantErr = tt.wantKube32OrNewerErrs
 			}

+			if performCELTests {
+				wantErr = append(wantErr, tt.wantCELErrs...)
+			} else if len(wantErr) == len(tt.wantCELErrs) {
+				// on old K8s versions, don't check for errors when all we expect are CEL errors
+				require.NoError(t, actualCreateErr)
+				return
+			}
+
 			wantErrStr := fmt.Sprintf("FederationDomain.config.supervisor.%s %q is invalid: ",
 				env.APIGroupSuffix, objectMeta.Name)

@@ -924,7 +961,6 @@ func TestSupervisorFederationDomainCRDValidations_Parallel(t *testing.T) {
 			}

 			require.EqualError(t, actualCreateErr, wantErrStr)
-			}
 		})
 	}
 }
--- a/test/integration/supervisor_secrets_test.go
+++ b/test/integration/supervisor_secrets_test.go
@@ -31,7 +31,7 @@ func TestSupervisorSecrets_Parallel(t *testing.T) {
 	// Create our FederationDomain under test.
 	federationDomain := testlib.CreateTestFederationDomain(ctx, t,
 		supervisorconfigv1alpha1.FederationDomainSpec{
-			Issuer: fmt.Sprintf("http://test-issuer-%s.pinniped.dev", testlib.RandHex(t, 8)),
+			Issuer: fmt.Sprintf("https://test-issuer-%s.pinniped.dev", testlib.RandHex(t, 8)),
 		},
 		supervisorconfigv1alpha1.FederationDomainPhaseError, // in phase error until there is an IDP created, but this test does not care
 	)