diff --git a/Dockerfile b/Dockerfile index 3fb722b76..7a23cd1e9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 -ARG BUILD_IMAGE=golang:1.21.6@sha256:7b575fe0d9c2e01553b04d9de8ffea6d35ca3ab3380d2a8db2acc8f0f1519a53 +ARG BUILD_IMAGE=golang:1.22.0@sha256:ef61a20960397f4d44b0e729298bf02327ca94f1519239ddc6d91689615b1367 ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:112a87f19e83c83711cc81ce8ed0b4d79acd65789682a6a272df57c4a0858534 # Prepare to cross-compile by always running the build stage in the build platform, not the target platform. diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index c392c9a0a..2f8daff74 100644 --- a/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -96,43 +104,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +160,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 84ccb758c..72b55d000 100644 --- a/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -69,43 +74,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +130,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 72104b64b..fcfcd3e5f 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -116,17 +112,17 @@ spec: - name type: object transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -161,25 +157,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -188,27 +180,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -231,44 +214,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -279,10 +256,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -304,14 +280,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -319,26 +297,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -351,43 +331,49 @@ spec: description: Conditions represent the observations of an FederationDomain's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -401,11 +387,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -433,43 +420,52 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object type: object diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 8e3925d96..30c154f7e 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -128,43 +131,49 @@ spec: description: conditions represent the observations of an OIDCClient's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +187,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 8f545cebe..c661f4038 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -231,43 +228,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +284,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index d00317bf7..111336437 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -228,43 +219,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +275,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7ea600b15..8f02f99be 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -258,43 +223,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +279,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index c392c9a0a..2f8daff74 100644 --- a/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -96,43 +104,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +160,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 84ccb758c..72b55d000 100644 --- a/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -69,43 +74,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +130,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 351b0ca23..d2b62d31b 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -352,43 +332,49 @@ spec: description: Conditions represent the observations of an FederationDomain's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +388,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +421,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 8e3925d96..30c154f7e 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -128,43 +131,49 @@ spec: description: conditions represent the observations of an OIDCClient's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +187,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 8f545cebe..c661f4038 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -231,43 +228,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +284,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index d00317bf7..111336437 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -228,43 +219,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +275,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7ea600b15..8f02f99be 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -258,43 +223,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +279,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/go.mod b/go.mod index 67f38447b..b60edb354 100644 --- a/go.mod +++ b/go.mod @@ -55,11 +55,11 @@ require ( github.com/stretchr/testify v1.8.4 github.com/tdewolff/minify/v2 v2.20.16 go.uber.org/zap v1.26.0 - golang.org/x/crypto v0.18.0 + golang.org/x/crypto v0.19.0 golang.org/x/net v0.20.0 golang.org/x/oauth2 v0.16.0 golang.org/x/sync v0.6.0 - golang.org/x/term v0.16.0 + golang.org/x/term v0.17.0 golang.org/x/text v0.14.0 k8s.io/api v0.29.1 k8s.io/apiextensions-apiserver v0.29.1 @@ -174,7 +174,7 @@ require ( go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.16.1 // indirect google.golang.org/appengine v1.6.8 // indirect diff --git a/go.sum b/go.sum index e25d9cdbf..34f7d9209 100644 --- a/go.sum +++ b/go.sum @@ -665,8 +665,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -833,8 +833,9 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -843,8 +844,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/hack/Dockerfile_fips b/hack/Dockerfile_fips index f936bcd29..5dcbd5b7a 100644 --- a/hack/Dockerfile_fips +++ b/hack/Dockerfile_fips @@ -16,7 +16,7 @@ # See https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md # and https://kupczynski.info/posts/fips-golang/ for details. -ARG BUILD_IMAGE=golang:1.21.6@sha256:7b575fe0d9c2e01553b04d9de8ffea6d35ca3ab3380d2a8db2acc8f0f1519a53 +ARG BUILD_IMAGE=golang:1.22.0@sha256:ef61a20960397f4d44b0e729298bf02327ca94f1519239ddc6d91689615b1367 ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:112a87f19e83c83711cc81ce8ed0b4d79acd65789682a6a272df57c4a0858534 # This is not currently using --platform to prepare to cross-compile because we use gcc below to build diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go index 6cf4bfd82..b040bb12e 100644 --- a/internal/crypto/ptls/fips_strict.go +++ b/internal/crypto/ptls/fips_strict.go @@ -1,8 +1,7 @@ // Copyright 2022-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -// The configurations here override the usual ptls.Default and ptls.DefaultLDAP -// configs when Pinniped is built in fips-only mode. +// The configurations here override the usual configs when Pinniped is built in fips-only mode. //go:build fips_strict package ptls @@ -14,16 +13,15 @@ import ( "path/filepath" "runtime" + "k8s.io/apiserver/pkg/server/options" + // Cause fipsonly tls mode with this side effect import. _ "go.pinniped.dev/internal/crypto/fips" "go.pinniped.dev/internal/plog" ) -// goboring now also supports TLS 1.3 starting in Golang 1.21.6 -// (see https://github.com/golang/go/issues/64717), -// so we can use TLS 1.3 as the minimum TLS version for our "secure" configuration -// profile in both FIPS and non-FIPS compiled binaries. -// Hence, we no longer redefine the Secure() function in this file. +// Until goboring supports TLS 1.3, use TLS 1.2. +const SecureTLSConfigMinTLSVersion = tls.VersionTLS12 func init() { switch filepath.Base(os.Args[0]) { @@ -40,9 +38,8 @@ func init() { func Default(rootCAs *x509.CertPool) *tls.Config { return &tls.Config{ MinVersion: tls.VersionTLS12, - // goboring now also supports TLS 1.3 (see https://github.com/golang/go/issues/64717) - // so this default configuration can allow either 1.2 or 1.3 - MaxVersion: SecureTLSConfigMinTLSVersion, + // Until goboring supports TLS 1.3, make the max version 1.2. + MaxVersion: tls.VersionTLS12, // This is all the fips-approved TLS 1.2 ciphers. // The list is hard-coded for convenience of testing. @@ -53,6 +50,8 @@ func Default(rootCAs *x509.CertPool) *tls.Config { tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, }, // enable HTTP2 for go's 1.7 HTTP Server @@ -65,6 +64,16 @@ func Default(rootCAs *x509.CertPool) *tls.Config { } } +// Until goboring supports TLS 1.3, make the Secure profile the same as the Default profile in FIPS mode. +func Secure(rootCAs *x509.CertPool) *tls.Config { + return Default(rootCAs) +} + func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config { return Default(rootCAs) } + +// Until goboring supports TLS 1.3, make secureServing use the same as the defaultServing profile in FIPS mode. +func secureServing(opts *options.SecureServingOptionsWithLoopback) { + defaultServing(opts) +} diff --git a/internal/crypto/ptls/ptls_test.go b/internal/crypto/ptls/ptls_test.go index 27aa13231..5825faf1d 100644 --- a/internal/crypto/ptls/ptls_test.go +++ b/internal/crypto/ptls/ptls_test.go @@ -5,8 +5,11 @@ package ptls import ( "crypto/tls" + "runtime" + "strings" "testing" + "github.com/coreos/go-semver/semver" "github.com/stretchr/testify/require" "k8s.io/apiserver/pkg/server/options" ) @@ -46,6 +49,13 @@ func TestSecureServing(t *testing.T) { func TestMerge(t *testing.T) { t.Parallel() + runtimeVersion := runtime.Version() + if strings.HasPrefix(runtimeVersion, "go") { + runtimeVersion, _ = strings.CutPrefix(runtimeVersion, "go") + } + runtimeVersionSemver, err := semver.NewVersion(runtimeVersion) + require.NoError(t, err) + tests := []struct { name string tlsConfigFunc ConfigFunc @@ -176,60 +186,24 @@ func TestMerge(t *testing.T) { ServerName: "something-to-check-passthrough", }, want: &tls.Config{ - ServerName: "something-to-check-passthrough", - MinVersion: tls.VersionTLS12, - CipherSuites: []uint16{ - tls.TLS_RSA_WITH_AES_128_CBC_SHA, //nolint:gosec // yeah, I know it is a bad cipher, this is the legacy config - tls.TLS_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_AES_128_GCM_SHA256, - tls.TLS_AES_256_GCM_SHA384, - tls.TLS_CHACHA20_POLY1305_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - }, - NextProtos: []string{"h2", "http/1.1"}, + ServerName: "something-to-check-passthrough", + MinVersion: tls.VersionTLS12, + CipherSuites: wantLegacyCipherSuites(runtimeVersionSemver), + NextProtos: []string{"h2", "http/1.1"}, }, }, { name: "legacy with NextProtos", tlsConfigFunc: Legacy, - tlsConfig: &tls.Config{ + tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here ServerName: "a different thing for passthrough", NextProtos: []string{"panda"}, }, want: &tls.Config{ - ServerName: "a different thing for passthrough", - MinVersion: tls.VersionTLS12, - CipherSuites: []uint16{ - tls.TLS_RSA_WITH_AES_128_CBC_SHA, //nolint:gosec // yeah, I know it is a bad cipher, this is the legacy config - tls.TLS_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_AES_128_GCM_SHA256, - tls.TLS_AES_256_GCM_SHA384, - tls.TLS_CHACHA20_POLY1305_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - }, - NextProtos: []string{"panda"}, + ServerName: "a different thing for passthrough", + MinVersion: tls.VersionTLS12, + CipherSuites: wantLegacyCipherSuites(runtimeVersionSemver), + NextProtos: []string{"panda"}, }, }, } @@ -243,3 +217,31 @@ func TestMerge(t *testing.T) { }) } } + +func wantLegacyCipherSuites(runtime *semver.Version) []uint16 { + var ciphers []uint16 + if runtime.Major == 1 && runtime.Minor < 22 { + ciphers = append(ciphers, []uint16{ + tls.TLS_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + }...) + } + ciphers = append(ciphers, []uint16{ + tls.TLS_AES_128_GCM_SHA256, + tls.TLS_AES_256_GCM_SHA384, + tls.TLS_CHACHA20_POLY1305_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + }...) + return ciphers +} diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go index 7f628f18f..d08139443 100644 --- a/internal/crypto/ptls/secure.go +++ b/internal/crypto/ptls/secure.go @@ -1,6 +1,8 @@ // Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 +//go:build !fips_strict + package ptls import ( diff --git a/internal/plog/plog_test.go b/internal/plog/plog_test.go index b1c830c0f..c116a939e 100644 --- a/internal/plog/plog_test.go +++ b/internal/plog/plog_test.go @@ -11,10 +11,18 @@ import ( "testing" "time" + "github.com/coreos/go-semver/semver" "github.com/stretchr/testify/require" ) func TestPlog(t *testing.T) { + runtimeVersion := runtime.Version() + if strings.HasPrefix(runtimeVersion, "go") { + runtimeVersion, _ = strings.CutPrefix(runtimeVersion, "go") + } + runtimeVersionSemver, err := semver.NewVersion(runtimeVersion) + require.NoError(t, err) + tests := []struct { name string run func(Logger) @@ -298,10 +306,17 @@ func TestPlog(t *testing.T) { {"level":"all","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog_test.go:$plog.TestPlog.%[1]s","message":"all","panda":2} {"level":"info","timestamp":"2099-08-08T13:57:36.123456Z","caller":"plog/plog_test.go:$plog.TestPlog.%[1]s","message":"always","panda":2} `, func() string { - if strings.Contains(runtime.Version(), "1.21") { + switch { + case runtimeVersionSemver.Major == 1 && runtimeVersionSemver.Minor == 21: + // Format of string for Go 1.21 return "func13.TestPlog.func13.1.func2" + case runtimeVersionSemver.Major == 1 && runtimeVersionSemver.Minor >= 22: + // Format of string for Go 1.22+ + return "func13.TestPlog.func13.1.2" + default: + // Format of string for Go 1.20 and below. + return "func13.1.1" } - return "func13.1.1" }()), }, { diff --git a/internal/testutil/tlsserver/tlsserver.go b/internal/testutil/tlsserver/tlsserver.go index 56eddba39..9669764d4 100644 --- a/internal/testutil/tlsserver/tlsserver.go +++ b/internal/testutil/tlsserver/tlsserver.go @@ -85,6 +85,10 @@ func AssertTLS(t *testing.T, r *http.Request, clientTLSConfigFunc ptls.ConfigFun var wantClientSupportedCiphers []uint16 switch { + // When the provided config only supports TLS 1.2, then set up the expected values for TLS 1.2. + case clientTLSConfig.MinVersion == tls.VersionTLS12 && clientTLSConfig.MaxVersion == tls.VersionTLS12: + wantClientSupportedVersions = []uint16{tls.VersionTLS12} + wantClientSupportedCiphers = clientTLSConfig.CipherSuites // When the provided config only supports TLS 1.3, then set up the expected values for TLS 1.3. case clientTLSConfig.MinVersion == tls.VersionTLS13: wantClientSupportedVersions = []uint16{tls.VersionTLS13}