Refined ytt schemas

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>

deploy/concierge/deployment.yaml

@@ -347,7 +347,12 @@ spec:
       #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip:
       loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip
       #@ end
+      #@ if data.values.impersonation_proxy_spec.service.annotations == None:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"
+      #@ else:
       annotations: #@ data.values.impersonation_proxy_spec.service.annotations
+      #@ end
 ---
 apiVersion: v1
 kind: Secret

deploy/concierge/values.yaml

@@ -1,6 +1,16 @@
 #! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
+#@ def validate_strings_map(obj):
+#@   # Returns True if obj is an associative data structure string→string, and False otherwise.
+#@   for key in obj:
+#@     if type(key) != "string" or type(obj[key]) != "string":
+#@       return False
+#@     end
+#@   end
+#@   return True
+#@ end
+
 #@data/values-schema
 ---
 #@schema/title "App name"
@@ -31,21 +41,9 @@ into_namespace: ""
 #@ not assume that there was a static install-time yaml namespace."
 #@schema/desc custom_labels_desc
 #@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"})
-#@ def validate_labels(labels):
-#@   """
-#@   Returns True if labels is an associative data structure string→string,
-#@   and False otherwise.
-#@   """
-#@   for label in labels:
-#@     if type(label) != "string" or type(labels[label]) != "string":
-#@       return False
-#@     end
-#@   end
-#@   return True
-#@ end
 #@schema/type any=True
-#@schema/validation ("a map of keys and values", validate_labels)
-custom_labels: {}
+#@schema/validation ("a map of string keys and string values", validate_strings_map)
+custom_labels: { }
 
 #@schema/title "Replicas"
 #@schema/desc "Specify how many replicas of the Pinniped server to run."
@@ -58,14 +56,14 @@ image_repo: projects.registry.vmware.com/pinniped/pinniped-server
 
 #@schema/title "Image digest"
 #@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
-#@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
+#@schema/examples ("Providing a digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
 #@schema/nullable
 #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
 image_digest: ""
 
 #@schema/title "Image tag"
 #@schema/desc "The image tag for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
-#@schema/examples ("Tag", "v0.25.0")
+#@schema/examples ("Providing a tag", "v0.25.0")
 #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
 image_tag: latest
 
@@ -88,6 +86,7 @@ kube_cert_agent_image: ""
 #@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
 #@schema/examples (example_desc, example_value)
 #@schema/nullable
+#@schema/validation min_len=1
 image_pull_dockerconfigjson: ""
 
 #@schema/title "Discovery URL"
@@ -103,7 +102,7 @@ discovery_url: ""
 #@ Specify this as an integer or as a string which contains an integer value."
 #@schema/desc api_serving_certificate_duration_seconds_desc
 #@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
+#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"])
 api_serving_certificate_duration_seconds: 2592000
 
 #@schema/title "API serving certificate renew before seconds"
@@ -112,7 +111,7 @@ api_serving_certificate_duration_seconds: 2592000
 #@ Specify this as an integer or as a string which contains an integer value."
 #@schema/desc api_serving_certificate_renew_before_seconds_desc
 #@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
+#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"])
 api_serving_certificate_renew_before_seconds: 2160000
 
 #@schema/title "Log level"
@@ -138,15 +137,11 @@ deprecated_log_format: ""
 
 #@schema/title "Run as user"
 #@schema/desc "The user ID that will own the process."
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #! See the Dockerfile for the reasoning behind this default value.
 run_as_user: 65532
 
 #@schema/title "Run as group"
 #@schema/desc "The group ID that will own the process."
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #! See the Dockerfile for the reasoning behind this default value.
 run_as_group: 65532
 
@@ -164,19 +159,21 @@ api_group_suffix: pinniped.dev
 impersonation_proxy_spec:
 
   #@schema/title "Mode"
-  #@ impersonation_mode_desc = "If enabled, the impersonation proxy will always run regardless of other strategies available. \
-  #@ Options are 'auto', 'disabled' or 'enabled'. If auto, the impersonation proxy will run only if the cluster signing key is \
-  #@ not available and the other strategy does not work. If disabled, the impersonation proxy will never run, which could mean \
+  #@ impersonation_mode_desc = "Enables or disables the impersonation proxy. Options are 'auto', 'disabled' or 'enabled'. \
+  #@ If auto, the impersonation proxy will run only if the cluster signing key is \
+  #@ not available and the other strategy does not work. \
+  #@ If enabled, the impersonation proxy will always run regardless of other strategies available. \
+  #@ If disabled, the impersonation proxy will never run, which could mean \
   #@ that the concierge doesn't work at all."
   #@schema/desc impersonation_mode_desc
-  #@schema/examples ("Always run, regardless of available strategies", "enabled"),("Detect if cluster signing key is available for use","auto")
+  #@schema/validation one_of=["auto", "disabled", "enabled"]
   mode: auto
 
   #@schema/title "External endpoint"
   #@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \
   #@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint."
   #@schema/desc external_endpoint_desc
-  #@schema/examples ("Specified impersonation proxy endpoint", "1.2.3.4:5678")
+  #@schema/examples ("Specified impersonation proxy endpoint", "https://1.2.3.4:5678")
   #@schema/nullable
   #@schema/validation min_len=1
   external_endpoint: ""
@@ -192,33 +189,39 @@ impersonation_proxy_spec:
     #@ automatically provisions a Service of type ClusterIP pointing at the impersonation proxy. None does not provision \
     #@ either and assumes that you have set the external_endpoint and set up your own ingress to connect to the impersonation proxy."
     #@schema/desc impersonation_service_type_desc
-    #@schema/examples ("Fall back to ClusterIP", "ClusterIP")
     #@schema/validation one_of=["LoadBalancer", "ClusterIP", "None"]
     type: LoadBalancer
 
     #@schema/title "Annotations"
-    #@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service."
+    #@ annotations_desc = "The annotations that should be set on the ClusterIP or LoadBalancer Service. The default includes \
+    #@ a value for the AWS-specific service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout annotation, which will \
+    #@ be ignored except when using AWS to provide load balancer Services."
+    #@schema/desc annotations_desc
+    #@schema/nullable
+    #@schema/type any=True
+    #@schema/validation ("a map of string keys and string values", validate_strings_map)
     annotations:
-      {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
 
     #@schema/title "Load balancer IP"
-    #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP."
-    #@schema/examples ("Specified IP with port", "1.2.3.4:5678")
+    #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's spec.loadBalancerIP."
+    #@schema/examples ("Specifying an IP", "1.2.3.4")
     #@schema/nullable
     #@schema/validation min_len=1
     load_balancer_ip: ""
 
 #@schema/title "HTTPS proxy"
-#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
-#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
-#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
-#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
-#@ Optional."
+#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers. \
+#@ These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS, \
+#@ e.g. when the Concierge fetches discovery documents and JWKS keys for JWTAuthenticators and POSTs to webhooks for WebhookAuthenticators. \
+#@ The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY."
 #@schema/desc https_proxy_desc
-#@schema/examples ("Provide a proxy endpoint","http://proxy.example.com")
+#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com")
 #@schema/nullable
+#@schema/validation min_len=1
 https_proxy: ""
 
 #@schema/title "No proxy"
-#@schema/desc "Endpoints that should not be proxied. Defaults to some sensible known values on public cloud providers."
-no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
+#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \
+#@ localhost endpoints, and the known instance metadata IP address for public cloud providers."
+#@schema/desc no_proxy_desc
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"

deploy/local-user-authenticator/values.yaml

@@ -10,14 +10,14 @@ image_repo: projects.registry.vmware.com/pinniped/pinniped-server
 
 #@schema/title "Image digest"
 #@schema/desc "The image digest for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used."
-#@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
+#@schema/examples ("Providing a digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
 #@schema/nullable
 #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
 image_digest: ""
 
 #@schema/title "Image tag"
 #@schema/desc "The image tag for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used."
-#@schema/examples ("Tag", "v0.25.0")
+#@schema/examples ("Providing a tag", "v0.25.0")
 #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
 image_tag: latest
 
@@ -30,6 +30,7 @@ image_tag: latest
 #@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
 #@schema/examples (example_desc, example_value)
 #@schema/nullable
+#@schema/validation min_len=1
 image_pull_dockerconfigjson: ""
 
 #@schema/title "Run as user"

deploy/supervisor/values.yaml

@@ -1,6 +1,16 @@
 #! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
 #! SPDX-License-Identifier: Apache-2.0
 
+#@ def validate_strings_map(obj):
+#@   # Returns True if obj is an associative data structure string→string, and False otherwise.
+#@   for key in obj:
+#@     if type(key) != "string" or type(obj[key]) != "string":
+#@       return False
+#@     end
+#@   end
+#@   return True
+#@ end
+
 #@data/values-schema
 ---
 #@schema/title "App name"
@@ -31,40 +41,28 @@ into_namespace: ""
 #@ not assume that there was a static install-time yaml namespace."
 #@schema/desc custom_labels_desc
 #@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"})
-#@ def validate_labels(labels):
-#@   """
-#@   Returns True if labels is an associative data structure string→string,
-#@   and False otherwise.
-#@   """
-#@   for label in labels:
-#@     if type(label) != "string" or type(labels[label]) != "string":
-#@       return False
-#@     end
-#@   end
-#@   return True
-#@ end
 #@schema/type any=True
-#@schema/validation ("a map of keys and values", validate_labels)
-custom_labels: {}
+#@schema/validation ("a map of keys and values", validate_strings_map)
+custom_labels: { }
 
 #@schema/title "Replicas"
 #@schema/desc "Specify how many replicas of the Pinniped server to run."
 replicas: 2
 
 #@schema/title "Image repo"
-#@schema/desc "The repository for the Concierge container image."
+#@schema/desc "The repository for the Supervisor container image."
 #@schema/validation min_len=1
 image_repo: projects.registry.vmware.com/pinniped/pinniped-server
 
 #@schema/title "Image digest"
-#@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/desc "The image digest for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."
 #@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
 #@schema/nullable
 #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
 image_digest: ""
 
 #@schema/title "Image tag"
-#@schema/desc "The image tag for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
+#@schema/desc "The image tag for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."
 #@schema/examples ("Tag", "v0.25.0")
 #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
 image_tag: latest
@@ -78,75 +76,60 @@ image_tag: latest
 #@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
 #@schema/examples (example_desc, example_value)
 #@schema/nullable
+#@schema/validation min_len=1
 image_pull_dockerconfigjson: ""
 
 #@schema/title "Deprecated service HTTP nodeport port"
 #@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`"
-#@schema/examples ("Specify port","31234")
+#@schema/examples ("Specify port",31234)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #@schema/deprecated "This data value will be removed in a future release"
-deprecated_service_http_nodeport_port: ""
+deprecated_service_http_nodeport_port: 0
 
 #@schema/title "Deprecated service http nodeport nodeport"
 #@schema/desc "The `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified"
-#@schema/examples ("Specify port","31234")
+#@schema/examples ("Specify port",31234)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #@schema/deprecated "This data value will be removed in a future release"
-deprecated_service_http_nodeport_nodeport: ""
+deprecated_service_http_nodeport_nodeport: 0
 
 #@schema/title "Deprecated service http loadbalancer port"
 #@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`"
-#@schema/examples ("Specify port","8443")
+#@schema/examples ("Specify port",8443)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #@schema/deprecated "This data value will be removed in a future release"
-deprecated_service_http_loadbalancer_port: ""
+deprecated_service_http_loadbalancer_port: 0
 
 #@schema/title "Deprecated service http clusterip port"
 #@schema/desc "Creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`"
-#@schema/examples ("Specify port","8443")
+#@schema/examples ("Specify port",8443)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #@schema/deprecated "This data value will be removed in a future release"
-deprecated_service_http_clusterip_port: ""
+deprecated_service_http_clusterip_port: 0
 
 #@schema/title "Service https nodeport port"
 #@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
-#@schema/examples ("Specify port","31243")
+#@schema/examples ("Specify port",31243)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
-service_https_nodeport_port: ""
+service_https_nodeport_port: 0
 
 #@schema/title "Service https nodeport nodeport"
 #@schema/desc "The `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
-#@schema/examples ("Specify port","31243")
+#@schema/examples ("Specify port",31243)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
-service_https_nodeport_nodeport: ""
+service_https_nodeport_nodeport: 0
 
 #@schema/title "Service https loadbalancer port"
 #@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
-#@schema/examples ("Specify port","8443")
+#@schema/examples ("Specify port",8443)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
-service_https_loadbalancer_port: ""
+service_https_loadbalancer_port: 0
 
 #@schema/title "Service https clusterip port"
 #@schema/desc "When specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
-#@schema/examples ("Specify port","8443")
+#@schema/examples ("Specify port",8443)
 #@schema/nullable
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
-service_https_clusterip_port: ""
+service_https_clusterip_port: 0
 
 #@schema/title "Service loadbalancer ip"
 #@schema/desc "The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided."
@@ -177,23 +160,19 @@ deprecated_log_format: ""
 
 #@schema/title "Run as user"
 #@schema/desc "The user ID that will own the process."
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #! See the Dockerfile for the reasoning behind this default value.
 run_as_user: 65532
 
 #@schema/title "Run as group"
 #@schema/desc "The group ID that will own the process."
-#@schema/type any=True
-#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"])
 #! See the Dockerfile for the reasoning behind this default value.
 run_as_group: 65532
 
 #@schema/title "API group suffix"
 #@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
 #@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
-#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
-#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
+#@ config.supervisor.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
+#@ Pinniped API groups will look like foo.tuna.io. config.supervisor.tuna.io, etc."
 #@schema/desc api_group_suffix_desc
 #@schema/validation min_len=1
 api_group_suffix: pinniped.dev
@@ -202,25 +181,26 @@ api_group_suffix: pinniped.dev
 #@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
 #@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
 #@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
-#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \
-#@ Optional."
+#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY."
 #@schema/desc https_proxy_desc
-#@schema/examples ("Provide a proxy endpoint","http://proxy.example.com")
+#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com")
 #@schema/nullable
+#@schema/validation min_len=1
 https_proxy: ""
 
 #@schema/title "No proxy"
-#@schema/desc "Endpoints that should not be proxied. Defaults to some sensible known values on public cloud providers."
-no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
-
+#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \
+#@ localhost endpoints, and the known instance metadata IP address for public cloud providers."
+#@schema/desc no_proxy_desc
+no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
 
 #@schema/title "Endpoints"
 #@ endpoints_desc = "Control the HTTP and HTTPS listeners of the Supervisor.  The current defaults are: \
 #@ {\"https\":{\"network\":\"tcp\",\"address\":\":8443\"},\"http\":\"disabled\"}. \
-#@ These defaults mean: 1.) For HTTPS listening, bind to all interfaces using TCP on port 8443 and \
-#@ 2.) Disable HTTP listening by default. \
+#@ These defaults mean: 1.) for HTTPS listening, bind to all interfaces using TCP on port 8443 and \
+#@ 2.) disable HTTP listening by default. \
 #@ The schema of this config is as follows: \
-#@ {'https':{'network':'tcp | unix | disabled','address':'host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix'},'http':{'network':'tcp | unix | disabled','address':'same as https, except that when network=tcp then the address is only allowed to bind to loopback interfaces'}} \
+#@ {\"https\":{\"network\":\"tcp | unix | disabled\",\"address\":\"host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix\"},\"http\":{\"network\":\"tcp | unix | disabled\",\"address\":\"same as https, except that when network=tcp then the address is only allowed to bind to loopback interfaces\"}} \
 #@ The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept \
 #@ traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be \
 #@ used to accept traffic from outside the pod, since that would mean that the network traffic could be \
@@ -241,6 +221,14 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
 #@        return False
 #@     end
 #@   end
+#@   if(type(endpoint) in ["yamlfragment"]):
+#@     if (endpoint["network"] not in ["tcp", "unix", "disabled"]):
+#@        return False
+#@     end
+#@     if (type(endpoint["address"]) not in ["string"]):
+#@        return False
+#@     end
+#@   end
 #@   return True
 #@ end
 #@ def validate_endpoints(endpoints):
@@ -251,9 +239,9 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
 #@   https_val = endpoints["https"]
 #@   return validate_endpoint(http_val) and validate_endpoint(https_val)
 #@ end
-#@schema/validation ("a map with keys 'http' and 'https', both having keys 'network' and 'address' or set to 'disabled'", validate_endpoints)
 #@schema/nullable
-endpoints: {}
+#@schema/validation ("a map with keys 'http' and 'https', whose values are either the string 'disabled' or a map having keys 'network' and 'address', and the value of 'network' must be one of the allowed values", validate_endpoints)
+endpoints: { }
 
 #@ deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints.http \
 #@ value which checks that only loopback interfaces are used. \

hack/prepare-impersonator-on-kind.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 #
@@ -106,7 +106,7 @@ function cleanup() {
   kubectl delete webhookauthenticator local-user-authenticator
   log_note "Stopping kubectl port-forward and exiting..."
   # It may have already shut down, so ignore errors.
-  kill -9 $port_forward_pid &> /dev/null || true
+  kill -9 $port_forward_pid &>/dev/null || true
 }
 trap cleanup EXIT
 

hack/prepare-supervisor-on-kind.sh

@@ -39,7 +39,6 @@ cd "$ROOT"
 
 source hack/lib/helpers.sh
 
-
 use_oidc_upstream=no
 use_ldap_upstream=no
 use_ad_upstream=no
@@ -115,8 +114,8 @@ if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then
 
   # Wait for its pods to be ready.
   echo "Waiting for Contour to be ready..."
-  kubectl wait --for 'jsonpath={.status.phase}=Succeeded' pods -l 'app=contour-certgen'  -n projectcontour --timeout 60s
-  kubectl wait --for 'jsonpath={.status.phase}=Running' pods -l 'app!=contour-certgen'  -n projectcontour --timeout 60s
+  kubectl wait --for 'jsonpath={.status.phase}=Succeeded' pods -l 'app=contour-certgen' -n projectcontour --timeout 60s
+  kubectl wait --for 'jsonpath={.status.phase}=Running' pods -l 'app!=contour-certgen' -n projectcontour --timeout 60s
 
   # Create an ingress for the Supervisor which uses TLS passthrough to allow the Supervisor to terminate TLS.
   cat <<EOF | kubectl apply --namespace "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" -f -
@@ -313,7 +312,7 @@ kubectl create secret tls -n "$PINNIPED_TEST_SUPERVISOR_NAMESPACE" my-federation
 
 # Make a FederationDomain using the TLS Secret and identity providers from above in a temp file.
 fd_file="/tmp/federationdomain.yaml"
-cat << EOF > $fd_file
+cat <<EOF >$fd_file
 apiVersion: config.supervisor.pinniped.dev/v1alpha1
 kind: FederationDomain
 metadata:
@@ -327,7 +326,7 @@ EOF
 
 if [[ "$use_oidc_upstream" == "yes" ]]; then
   # Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
-  cat << EOF >> $fd_file
+  cat <<EOF >>$fd_file
 
     - displayName: "My OIDC IDP 🚀"
       objectRef:
@@ -351,7 +350,7 @@ fi
 
 if [[ "$use_ldap_upstream" == "yes" ]]; then
   # Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
-  cat << EOF >> $fd_file
+  cat <<EOF >>$fd_file
 
     - displayName: "My LDAP IDP 🚀"
       objectRef:
@@ -405,7 +404,7 @@ fi
 
 if [[ "$use_ad_upstream" == "yes" ]]; then
   # Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below.
-  cat << EOF >> $fd_file
+  cat <<EOF >>$fd_file
 
     - displayName: "My AD IDP"
       objectRef: