mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 14:25:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into jtc/add-importas-linter

Browse Source
This commit is contained in:
Joshua Casey
2024-06-11 09:39:48 -05:00
parent 2f9df8c8e2 8ac2dc2e9e
commit bafd578866
357 changed files with 23832 additions and 1310 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
.github/dependabot.yml vendored
View File

@@ -9,12 +9,25 @@ updates:
schedule:
interval: "daily"
# Our own CI job is responsible for updating this go.mod file now.
# - package-ecosystem: "gomod"
# open-pull-requests-limit: 100
# directory: "/"
# schedule:
# interval: "daily"
# Use dependabot to automate major-only dependency bumps
- package-ecosystem: "gomod"
open-pull-requests-limit: 2 # Not sure why there would ever be more than 1, just would not want to hide anything
directory: "/"
schedule:
interval: "daily"
# group all major dependency bumps together so there's only one pull request
groups:
go-modules:
patterns:
- "*"
update-types:
- "major"
ignore:
# For all packages, ignore all minor and patch updates
- dependency-name: "*"
update-types:
- "version-update:semver-minor"
- "version-update:semver-patch"
# Our own CI job is responsible for updating this Docker file now.
# - package-ecosystem: "docker"

4
Dockerfile
View File

@@ -1,9 +1,9 @@
# syntax=docker/dockerfile:1
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
ARG BUILD_IMAGE=golang:1.22.3@sha256:f43c6f049f04cbbaeb28f0aad3eea15274a7d0a7899a617d0037aec48d7ab010
ARG BUILD_IMAGE=golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:e9ac71e2b8e279a8372741b7a0293afda17650d926900233ec3a7b2b7c22a246
# Prepare to cross-compile by always running the build stage in the build platform, not the target platform.

4
apis/supervisor/idp/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

1
apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
View File

@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"

13
cmd/pinniped/cmd/kubeconfig.go
View File

@@ -143,7 +143,18 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
f.BoolVar(&flags.oidc.debugSessionCache, "oidc-debug-session-cache", false, "Print debug logs related to the OpenID Connect session cache")
f.StringVar(&flags.oidc.requestAudience, "oidc-request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange")
f.StringVar(&flags.oidc.upstreamIDPName, "upstream-identity-provider-name", "", "The name of the upstream identity provider used during login with a Supervisor")
f.StringVar(&flags.oidc.upstreamIDPType, "upstream-identity-provider-type", "", fmt.Sprintf("The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s')", idpdiscoveryv1alpha1.IDPTypeOIDC, idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory))
f.StringVar(
&flags.oidc.upstreamIDPType,
"upstream-identity-provider-type",
"",
fmt.Sprintf(
"The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s', '%s')",
idpdiscoveryv1alpha1.IDPTypeOIDC,
idpdiscoveryv1alpha1.IDPTypeLDAP,
idpdiscoveryv1alpha1.IDPTypeActiveDirectory,
idpdiscoveryv1alpha1.IDPTypeGitHub,
),
)
f.StringVar(&flags.oidc.upstreamIDPFlow, "upstream-identity-provider-flow", "", fmt.Sprintf("The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. '%s', '%s')", idpdiscoveryv1alpha1.IDPFlowCLIPassword, idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode))
f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")

7
cmd/pinniped/cmd/kubeconfig_test.go
View File

@@ -157,7 +157,7 @@ func TestGetKubeconfig(t *testing.T) {
--timeout duration Timeout for autodiscovery and validation (default 10m0s)
--upstream-identity-provider-flow string The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'cli_password', 'browser_authcode')
--upstream-identity-provider-name string The name of the upstream identity provider used during login with a Supervisor
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory')
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory', 'github')
`)
},
},
@@ -909,7 +909,8 @@ func TestGetKubeconfig(t *testing.T) {
idpsDiscoveryResponse: here.Docf(`{
"pinniped_identity_providers": [
{"name": "some-ldap-idp", "type": "ldap"},
{"name": "some-oidc-idp", "type": "oidc", "flows": ["flow1", "flow2"]}
{"name": "some-oidc-idp", "type": "oidc", "flows": ["flow1", "flow2"]},
{"name": "some-github-idp", "type": "github"}
]
}`),
wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -928,7 +929,7 @@ func TestGetKubeconfig(t *testing.T) {
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: multiple Supervisor upstream identity providers were found, ` +
`so the --upstream-identity-provider-name/--upstream-identity-provider-type flags must be specified. ` +
`Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc","flows":["flow1","flow2"]}]` + "\n")
`Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc","flows":["flow1","flow2"]},{"name":"some-github-idp","type":"github"}]` + "\n")
},
},
{

11
cmd/pinniped/cmd/login_oidc.go
View File

@@ -141,7 +141,16 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
cmd.Flags().StringVar(&flags.credentialCachePath, "credential-cache", filepath.Join(mustGetConfigDir(), "credentials.yaml"), "Path to cluster-specific credentials cache (\"\" disables the cache)")
cmd.Flags().StringVar(&flags.upstreamIdentityProviderName, "upstream-identity-provider-name", "", "The name of the upstream identity provider used during login with a Supervisor")
cmd.Flags().StringVar(&flags.upstreamIdentityProviderType, "upstream-identity-provider-type", idpdiscoveryv1alpha1.IDPTypeOIDC.String(), fmt.Sprintf("The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s')", idpdiscoveryv1alpha1.IDPTypeOIDC, idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory))
cmd.Flags().StringVar(&flags.upstreamIdentityProviderType,
"upstream-identity-provider-type",
idpdiscoveryv1alpha1.IDPTypeOIDC.String(),
fmt.Sprintf(
"The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s', '%s')",
idpdiscoveryv1alpha1.IDPTypeOIDC,
idpdiscoveryv1alpha1.IDPTypeLDAP,
idpdiscoveryv1alpha1.IDPTypeActiveDirectory,
idpdiscoveryv1alpha1.IDPTypeGitHub,
))
cmd.Flags().StringVar(&flags.upstreamIdentityProviderFlow, "upstream-identity-provider-flow", "", fmt.Sprintf("The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. '%s', '%s')", idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode, idpdiscoveryv1alpha1.IDPFlowCLIPassword))
// --skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.

14
cmd/pinniped/cmd/login_oidc_test.go
View File

@@ -103,7 +103,7 @@ func TestLoginOIDCCommand(t *testing.T) {
--skip-browser Skip opening the browser (just print the URL)
--upstream-identity-provider-flow string The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'browser_authcode', 'cli_password')
--upstream-identity-provider-name string The name of the upstream identity provider used during login with a Supervisor
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory') (default "oidc")
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory', 'github') (default "oidc")
`),
},
{
@@ -274,8 +274,8 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
wantLogs: []string{
nowStr + ` pinniped-login cmd/login_oidc.go:259 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:279 No concierge configured, skipping token credential exchange`,
nowStr + ` pinniped-login cmd/login_oidc.go:268 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:288 No concierge configured, skipping token credential exchange`,
},
},
{
@@ -319,10 +319,10 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 12,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
wantLogs: []string{
nowStr + ` pinniped-login cmd/login_oidc.go:259 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:269 Exchanging token for cluster credential {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:277 Successfully exchanged token for cluster credential.`,
nowStr + ` pinniped-login cmd/login_oidc.go:284 caching cluster credential for future use.`,
nowStr + ` pinniped-login cmd/login_oidc.go:268 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:278 Exchanging token for cluster credential {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:286 Successfully exchanged token for cluster credential.`,
nowStr + ` pinniped-login cmd/login_oidc.go:293 caching cluster credential for future use.`,
},
},
}

2
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev

30
deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev
@@ -421,10 +421,15 @@ spec:
exist.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -434,10 +439,15 @@ spec:
encrypting state parameters is stored.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -447,10 +457,15 @@ spec:
signing state parameters is stored.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -460,10 +475,15 @@ spec:
signing tokens is stored.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic

2
deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

326
deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml Normal file
View File

@@ -0,0 +1,326 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

2
deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

8
deploy/supervisor/rbac.yaml
View File

@@ -56,6 +56,14 @@ rules:
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
resources: [activedirectoryidentityproviders/status]
verbs: [get, patch, update]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
resources: [githubidentityproviders]
verbs: [get, list, watch]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
resources: [githubidentityproviders/status]
verbs: [get, patch, update]
#! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set
#! as an owner reference.
- apiGroups: [""]

11
deploy/supervisor/z0_crd_overlay.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:overlay", "overlay")
@@ -41,6 +41,15 @@ metadata:
spec:
group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"githubidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1
---
metadata:
#@overlay/match missing_ok=True
labels: #@ labels()
name: #@ pinnipedDevAPIGroupWithPrefix("githubidentityproviders.idp.supervisor")
spec:
group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.config.supervisor.pinniped.dev"}}), expects=1
---
metadata:

282
generated/1.24/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

4
generated/1.24/apis/supervisor/idp/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

215
generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
if in.Host != nil {
in, out := &in.Host, &out.Host
*out = new(string)
**out = **in
}
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.
func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig {
if in == nil {
return nil
}
out := new(GitHubAPIConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) {
*out = *in
in.Organizations.DeepCopyInto(&out.Organizations)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.
func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec {
if in == nil {
return nil
}
out := new(GitHubAllowAuthenticationSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) {
*out = *in
if in.Username != nil {
in, out := &in.Username, &out.Username
*out = new(GitHubUsernameAttribute)
**out = **in
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = new(GitHubGroupNameAttribute)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.
func (in *GitHubClaims) DeepCopy() *GitHubClaims {
if in == nil {
return nil
}
out := new(GitHubClaims)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.
func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec {
if in == nil {
return nil
}
out := new(GitHubClientSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.
func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider {
if in == nil {
return nil
}
out := new(GitHubIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]GitHubIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.
func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) {
*out = *in
in.GitHubAPI.DeepCopyInto(&out.GitHubAPI)
in.Claims.DeepCopyInto(&out.Claims)
in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication)
out.Client = in.Client
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.
func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.
func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) {
*out = *in
if in.Policy != nil {
in, out := &in.Policy, &out.Policy
*out = new(GitHubAllowedAuthOrganizationsPolicy)
**out = **in
}
if in.Allowed != nil {
in, out := &in.Allowed, &out.Allowed
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.
func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec {
if in == nil {
return nil
}
out := new(GitHubOrganizationsSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in

1
generated/1.24/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go generated
View File

@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"

129
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,129 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface
type FakeGitHubIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"}
var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}

4
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated
View File

@@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a
return &FakeActiveDirectoryIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface {
return &FakeGitHubIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
return &FakeLDAPIdentityProviders{c, namespace}
}

2
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated
View File

@@ -7,6 +7,8 @@ package v1alpha1
type ActiveDirectoryIdentityProviderExpansion interface{}
type GitHubIdentityProviderExpansion interface{}
type LDAPIdentityProviderExpansion interface{}
type OIDCIdentityProviderExpansion interface{}

182
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,182 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface.
// A group's client should implement this interface.
type GitHubIdentityProvidersGetter interface {
GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface
}
// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources.
type GitHubIdentityProviderInterface interface {
Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error)
GitHubIdentityProviderExpansion
}
// gitHubIdentityProviders implements GitHubIdentityProviderInterface
type gitHubIdentityProviders struct {
client rest.Interface
ns string
}
// newGitHubIdentityProviders returns a GitHubIdentityProviders
func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders {
return &gitHubIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.GitHubIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
SubResource("status").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

5
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated
View File

@@ -16,6 +16,7 @@ import (
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
ActiveDirectoryIdentityProvidersGetter
GitHubIdentityProvidersGetter
LDAPIdentityProvidersGetter
OIDCIdentityProvidersGetter
}
@@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A
return newActiveDirectoryIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface {
return newGitHubIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
return newLDAPIdentityProviders(c, namespace)
}

2
generated/1.24/client/supervisor/informers/externalversions/generic.go generated
View File

@@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):

77
generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,77 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

7
generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go generated
View File

@@ -13,6 +13,8 @@ import (
type Interface interface {
// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
GitHubIdentityProviders() GitHubIdentityProviderInformer
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
LDAPIdentityProviders() LDAPIdentityProviderInformer
// OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
@@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv
return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer {
return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer {
return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

8
generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go generated
View File

@@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{}
// ActiveDirectoryIdentityProviderNamespaceLister.
type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{}
// GitHubIdentityProviderListerExpansion allows custom methods to be added to
// GitHubIdentityProviderLister.
type GitHubIdentityProviderListerExpansion interface{}
// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// GitHubIdentityProviderNamespaceLister.
type GitHubIdentityProviderNamespaceListerExpansion interface{}
// LDAPIdentityProviderListerExpansion allows custom methods to be added to
// LDAPIdentityProviderLister.
type LDAPIdentityProviderListerExpansion interface{}

86
generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderLister helps list GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderLister interface {
// List lists all GitHubIdentityProviders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister
GitHubIdentityProviderListerExpansion
}
// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface.
type gitHubIdentityProviderLister struct {
indexer cache.Indexer
}
// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister.
func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister {
return &gitHubIdentityProviderLister{indexer: indexer}
}
// List lists all GitHubIdentityProviders in the indexer.
func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister {
return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderNamespaceLister interface {
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.GitHubIdentityProvider, error)
GitHubIdentityProviderNamespaceListerExpansion
}
// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister
// interface.
type gitHubIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name)
}
return obj.(*v1alpha1.GitHubIdentityProvider), nil
}

2
generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev

2
generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

326
generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated Normal file
View File

@@ -0,0 +1,326 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

2
generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

282
generated/1.25/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

4
generated/1.25/apis/supervisor/idp/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

215
generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
if in.Host != nil {
in, out := &in.Host, &out.Host
*out = new(string)
**out = **in
}
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.
func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig {
if in == nil {
return nil
}
out := new(GitHubAPIConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) {
*out = *in
in.Organizations.DeepCopyInto(&out.Organizations)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.
func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec {
if in == nil {
return nil
}
out := new(GitHubAllowAuthenticationSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) {
*out = *in
if in.Username != nil {
in, out := &in.Username, &out.Username
*out = new(GitHubUsernameAttribute)
**out = **in
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = new(GitHubGroupNameAttribute)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.
func (in *GitHubClaims) DeepCopy() *GitHubClaims {
if in == nil {
return nil
}
out := new(GitHubClaims)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.
func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec {
if in == nil {
return nil
}
out := new(GitHubClientSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.
func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider {
if in == nil {
return nil
}
out := new(GitHubIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]GitHubIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.
func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) {
*out = *in
in.GitHubAPI.DeepCopyInto(&out.GitHubAPI)
in.Claims.DeepCopyInto(&out.Claims)
in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication)
out.Client = in.Client
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.
func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.
func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) {
*out = *in
if in.Policy != nil {
in, out := &in.Policy, &out.Policy
*out = new(GitHubAllowedAuthOrganizationsPolicy)
**out = **in
}
if in.Allowed != nil {
in, out := &in.Allowed, &out.Allowed
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.
func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec {
if in == nil {
return nil
}
out := new(GitHubOrganizationsSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in

1
generated/1.25/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go generated
View File

@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"

129
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,129 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface
type FakeGitHubIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"}
var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}

4
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated
View File

@@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a
return &FakeActiveDirectoryIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface {
return &FakeGitHubIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
return &FakeLDAPIdentityProviders{c, namespace}
}

2
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated
View File

@@ -7,6 +7,8 @@ package v1alpha1
type ActiveDirectoryIdentityProviderExpansion interface{}
type GitHubIdentityProviderExpansion interface{}
type LDAPIdentityProviderExpansion interface{}
type OIDCIdentityProviderExpansion interface{}

182
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,182 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface.
// A group's client should implement this interface.
type GitHubIdentityProvidersGetter interface {
GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface
}
// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources.
type GitHubIdentityProviderInterface interface {
Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error)
GitHubIdentityProviderExpansion
}
// gitHubIdentityProviders implements GitHubIdentityProviderInterface
type gitHubIdentityProviders struct {
client rest.Interface
ns string
}
// newGitHubIdentityProviders returns a GitHubIdentityProviders
func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders {
return &gitHubIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.GitHubIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
SubResource("status").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

5
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated
View File

@@ -16,6 +16,7 @@ import (
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
ActiveDirectoryIdentityProvidersGetter
GitHubIdentityProvidersGetter
LDAPIdentityProvidersGetter
OIDCIdentityProvidersGetter
}
@@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A
return newActiveDirectoryIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface {
return newGitHubIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
return newLDAPIdentityProviders(c, namespace)
}

2
generated/1.25/client/supervisor/informers/externalversions/generic.go generated
View File

@@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):

77
generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,77 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.25/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

7
generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go generated
View File

@@ -13,6 +13,8 @@ import (
type Interface interface {
// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
GitHubIdentityProviders() GitHubIdentityProviderInformer
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
LDAPIdentityProviders() LDAPIdentityProviderInformer
// OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
@@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv
return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer {
return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer {
return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

8
generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go generated
View File

@@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{}
// ActiveDirectoryIdentityProviderNamespaceLister.
type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{}
// GitHubIdentityProviderListerExpansion allows custom methods to be added to
// GitHubIdentityProviderLister.
type GitHubIdentityProviderListerExpansion interface{}
// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// GitHubIdentityProviderNamespaceLister.
type GitHubIdentityProviderNamespaceListerExpansion interface{}
// LDAPIdentityProviderListerExpansion allows custom methods to be added to
// LDAPIdentityProviderLister.
type LDAPIdentityProviderListerExpansion interface{}

86
generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderLister helps list GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderLister interface {
// List lists all GitHubIdentityProviders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister
GitHubIdentityProviderListerExpansion
}
// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface.
type gitHubIdentityProviderLister struct {
indexer cache.Indexer
}
// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister.
func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister {
return &gitHubIdentityProviderLister{indexer: indexer}
}
// List lists all GitHubIdentityProviders in the indexer.
func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister {
return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderNamespaceLister interface {
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.GitHubIdentityProvider, error)
GitHubIdentityProviderNamespaceListerExpansion
}
// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister
// interface.
type gitHubIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name)
}
return obj.(*v1alpha1.GitHubIdentityProvider), nil
}

2
generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev

2
generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

326
generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated Normal file
View File

@@ -0,0 +1,326 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

2
generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

282
generated/1.26/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

4
generated/1.26/apis/supervisor/idp/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

215
generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
if in.Host != nil {
in, out := &in.Host, &out.Host
*out = new(string)
**out = **in
}
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.
func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig {
if in == nil {
return nil
}
out := new(GitHubAPIConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) {
*out = *in
in.Organizations.DeepCopyInto(&out.Organizations)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.
func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec {
if in == nil {
return nil
}
out := new(GitHubAllowAuthenticationSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) {
*out = *in
if in.Username != nil {
in, out := &in.Username, &out.Username
*out = new(GitHubUsernameAttribute)
**out = **in
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = new(GitHubGroupNameAttribute)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.
func (in *GitHubClaims) DeepCopy() *GitHubClaims {
if in == nil {
return nil
}
out := new(GitHubClaims)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.
func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec {
if in == nil {
return nil
}
out := new(GitHubClientSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.
func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider {
if in == nil {
return nil
}
out := new(GitHubIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]GitHubIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.
func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) {
*out = *in
in.GitHubAPI.DeepCopyInto(&out.GitHubAPI)
in.Claims.DeepCopyInto(&out.Claims)
in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication)
out.Client = in.Client
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.
func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.
func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) {
*out = *in
if in.Policy != nil {
in, out := &in.Policy, &out.Policy
*out = new(GitHubAllowedAuthOrganizationsPolicy)
**out = **in
}
if in.Allowed != nil {
in, out := &in.Allowed, &out.Allowed
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.
func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec {
if in == nil {
return nil
}
out := new(GitHubOrganizationsSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in

1
generated/1.26/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go generated
View File

@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"

129
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,129 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface
type FakeGitHubIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"}
var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}

4
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated
View File

@@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a
return &FakeActiveDirectoryIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface {
return &FakeGitHubIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
return &FakeLDAPIdentityProviders{c, namespace}
}

2
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated
View File

@@ -7,6 +7,8 @@ package v1alpha1
type ActiveDirectoryIdentityProviderExpansion interface{}
type GitHubIdentityProviderExpansion interface{}
type LDAPIdentityProviderExpansion interface{}
type OIDCIdentityProviderExpansion interface{}

182
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,182 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface.
// A group's client should implement this interface.
type GitHubIdentityProvidersGetter interface {
GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface
}
// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources.
type GitHubIdentityProviderInterface interface {
Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error)
GitHubIdentityProviderExpansion
}
// gitHubIdentityProviders implements GitHubIdentityProviderInterface
type gitHubIdentityProviders struct {
client rest.Interface
ns string
}
// newGitHubIdentityProviders returns a GitHubIdentityProviders
func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders {
return &gitHubIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.GitHubIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
SubResource("status").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

5
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated
View File

@@ -16,6 +16,7 @@ import (
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
ActiveDirectoryIdentityProvidersGetter
GitHubIdentityProvidersGetter
LDAPIdentityProvidersGetter
OIDCIdentityProvidersGetter
}
@@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A
return newActiveDirectoryIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface {
return newGitHubIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
return newLDAPIdentityProviders(c, namespace)
}

2
generated/1.26/client/supervisor/informers/externalversions/generic.go generated
View File

@@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):

77
generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,77 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.26/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.26/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

7
generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go generated
View File

@@ -13,6 +13,8 @@ import (
type Interface interface {
// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
GitHubIdentityProviders() GitHubIdentityProviderInformer
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
LDAPIdentityProviders() LDAPIdentityProviderInformer
// OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
@@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv
return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer {
return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer {
return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

8
generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go generated
View File

@@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{}
// ActiveDirectoryIdentityProviderNamespaceLister.
type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{}
// GitHubIdentityProviderListerExpansion allows custom methods to be added to
// GitHubIdentityProviderLister.
type GitHubIdentityProviderListerExpansion interface{}
// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// GitHubIdentityProviderNamespaceLister.
type GitHubIdentityProviderNamespaceListerExpansion interface{}
// LDAPIdentityProviderListerExpansion allows custom methods to be added to
// LDAPIdentityProviderLister.
type LDAPIdentityProviderListerExpansion interface{}

86
generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderLister helps list GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderLister interface {
// List lists all GitHubIdentityProviders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister
GitHubIdentityProviderListerExpansion
}
// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface.
type gitHubIdentityProviderLister struct {
indexer cache.Indexer
}
// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister.
func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister {
return &gitHubIdentityProviderLister{indexer: indexer}
}
// List lists all GitHubIdentityProviders in the indexer.
func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister {
return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderNamespaceLister interface {
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.GitHubIdentityProvider, error)
GitHubIdentityProviderNamespaceListerExpansion
}
// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister
// interface.
type gitHubIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name)
}
return obj.(*v1alpha1.GitHubIdentityProvider), nil
}

2
generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev

2
generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

326
generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated Normal file
View File

@@ -0,0 +1,326 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

2
generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

282
generated/1.27/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

4
generated/1.27/apis/go.mod generated
View File

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.27/apis
go 1.13
require (
k8s.io/api v0.27.13
k8s.io/apimachinery v0.27.13
k8s.io/api v0.27.14
k8s.io/apimachinery v0.27.14
)

8
generated/1.27/apis/go.sum generated
View File

@@ -330,10 +330,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
k8s.io/api v0.27.13 h1:d49LYs1dh+JMMDNYQSu8FhEzCjc2TNpYvDWoSGAKs80=
k8s.io/api v0.27.13/go.mod h1:W3lYMPs34i0XQA+cmKfejve+HwbRZjy67fL05RyJUTo=
k8s.io/apimachinery v0.27.13 h1:xDAnOWaRVNSkaKdfB0Ab11hixH90KGTbLwEHMloMjFM=
k8s.io/apimachinery v0.27.13/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
k8s.io/api v0.27.14 h1:/oKAF9HiSB47polol2Ji2TaFnC400JK57jSPUXY5MzU=
k8s.io/api v0.27.14/go.mod h1:Jekhd9Kyo2CsmJlYbqZPXNwIxiHvyGJCdp0X56yDyvU=
k8s.io/apimachinery v0.27.14 h1:jAIGvPbvAg4XJysK7JPFa6DdjTR6vts4/p4Q6ZrcQ+4=
k8s.io/apimachinery v0.27.14/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

4
generated/1.27/apis/supervisor/idp/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

Some files were not shown because too many files have changed in this diff Show More