diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index c392c9a0a..2f8daff74 100644 --- a/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.21/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -96,43 +104,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +160,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 84ccb758c..72b55d000 100644 --- a/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.21/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -69,43 +74,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +130,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 72104b64b..fcfcd3e5f 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -116,17 +112,17 @@ spec: - name type: object transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -161,25 +157,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -188,27 +180,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -231,44 +214,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -279,10 +256,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -304,14 +280,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -319,26 +297,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -351,43 +331,49 @@ spec: description: Conditions represent the observations of an FederationDomain's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -401,11 +387,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -433,43 +420,52 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object type: object diff --git a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 8e3925d96..30c154f7e 100644 --- a/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -128,43 +131,49 @@ spec: description: conditions represent the observations of an OIDCClient's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +187,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 8f545cebe..c661f4038 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -231,43 +228,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +284,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index d00317bf7..111336437 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -228,43 +219,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +275,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7ea600b15..8f02f99be 100644 --- a/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.21/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -258,43 +223,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +279,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index c392c9a0a..2f8daff74 100644 --- a/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.22/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -96,43 +104,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +160,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 84ccb758c..72b55d000 100644 --- a/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.22/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -69,43 +74,49 @@ spec: description: Represents the observations of the authenticator's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +130,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 351b0ca23..d2b62d31b 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -352,43 +332,49 @@ spec: description: Conditions represent the observations of an FederationDomain's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +388,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +421,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml index 8e3925d96..30c154f7e 100644 --- a/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -128,43 +131,49 @@ spec: description: conditions represent the observations of an OIDCClient's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +187,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 8f545cebe..c661f4038 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -231,43 +228,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +284,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index d00317bf7..111336437 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -228,43 +219,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +275,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7ea600b15..8f02f99be 100644 --- a/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.22/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -258,43 +223,49 @@ spec: description: Represents the observations of an identity provider's current state. items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - type FooStatus struct{ // Represents the observations of a foo's - current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: |- + Condition contains details for one aspect of the current state of this API Resource. + --- + This struct is intended for direct use as an array at the field path .status.conditions. For example, + type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: "Available", "Progressing", and "Degraded" + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"` + + + // other fields + } properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +279,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.23/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.23/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.23/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.26/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.27/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index 0520898f3..a7981552c 100644 --- a/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: jwtauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -31,20 +31,27 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: "JWTAuthenticator describes the configuration of a JWT authenticator. - \n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation - on it (e.g., valid signature, existence of claims, etc.) and extract the - username and groups from the token." + description: |- + JWTAuthenticator describes the configuration of a JWT authenticator. + + + Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid + signature, existence of claims, etc.) and extract the username and groups from the token. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,24 +63,25 @@ spec: minLength: 1 type: string claims: - description: Claims allows customization of the claims that will be - mapped to user identity for Kubernetes access. + description: |- + Claims allows customization of the claims that will be mapped to user identity + for Kubernetes access. properties: groups: - description: Groups is the name of the claim which should be read - to extract the user's group membership from the JWT token. When - not specified, it will default to "groups". + description: |- + Groups is the name of the claim which should be read to extract the user's + group membership from the JWT token. When not specified, it will default to "groups". type: string username: - description: Username is the name of the claim which should be - read to extract the username from the JWT token. When not specified, - it will default to "username". + description: |- + Username is the name of the claim which should be read to extract the + username from the JWT token. When not specified, it will default to "username". type: string type: object issuer: - description: Issuer is the OIDC issuer URL that will be used to discover - public signing keys. Issuer is also used to validate the "iss" JWT - claim. + description: |- + Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is + also used to validate the "iss" JWT claim. minLength: 1 pattern: ^https:// type: string @@ -97,42 +105,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -146,11 +154,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 5924c6f68..08defa182 100644 --- a/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: webhookauthenticators.authentication.concierge.pinniped.dev spec: group: authentication.concierge.pinniped.dev @@ -32,14 +32,19 @@ spec: authenticator. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,42 +75,42 @@ spec: state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -119,11 +124,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 23bb032c5..8d77a6665 100644 --- a/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.28/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: credentialissuers.config.concierge.pinniped.dev spec: group: config.concierge.pinniped.dev @@ -33,14 +33,19 @@ spec: Pinniped Concierge credential issuer. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -52,18 +57,19 @@ spec: of the Concierge impersonation proxy. properties: externalEndpoint: - description: "ExternalEndpoint describes the HTTPS endpoint where - the proxy will be exposed. If not set, the proxy will be served - using the external name of the LoadBalancer service or the cluster - service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type - is \"None\"." + description: |- + ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will + be served using the external name of the LoadBalancer service or the cluster service DNS name. + + + This field must be non-empty when spec.impersonationProxy.service.type is "None". type: string mode: - description: 'Mode configures whether the impersonation proxy - should be started: - "disabled" explicitly disables the impersonation - proxy. This is the default. - "enabled" explicitly enables the - impersonation proxy. - "auto" enables or disables the impersonation - proxy based upon the cluster in which it is running.' + description: |- + Mode configures whether the impersonation proxy should be started: + - "disabled" explicitly disables the impersonation proxy. This is the default. + - "enabled" explicitly enables the impersonation proxy. + - "auto" enables or disables the impersonation proxy based upon the cluster in which it is running. enum: - auto - enabled @@ -82,20 +88,20 @@ spec: pairs to set as annotations on the provisioned Service. type: object loadBalancerIP: - description: LoadBalancerIP specifies the IP address to set - in the spec.loadBalancerIP field of the provisioned Service. + description: |- + LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service. This is not supported on all cloud providers. maxLength: 255 minLength: 1 type: string type: default: LoadBalancer - description: "Type specifies the type of Service to provision - for the impersonation proxy. \n If the type is \"None\", - then the \"spec.impersonationProxy.externalEndpoint\" field - must be set to a non-empty value so that the Concierge can - properly advertise the endpoint in the CredentialIssuer's - status." + description: |- + Type specifies the type of Service to provision for the impersonation proxy. + + + If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty + value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status. enum: - LoadBalancer - ClusterIP @@ -103,20 +109,21 @@ spec: type: string type: object tls: - description: "TLS contains information about how the Concierge - impersonation proxy should serve TLS. \n If this field is empty, - the impersonation proxy will generate its own TLS certificate." + description: |- + TLS contains information about how the Concierge impersonation proxy should serve TLS. + + + If this field is empty, the impersonation proxy will generate its own TLS certificate. properties: certificateAuthorityData: - description: X.509 Certificate Authority (base64-encoded PEM - bundle). Used to advertise the CA bundle for the impersonation - proxy endpoint. + description: |- + X.509 Certificate Authority (base64-encoded PEM bundle). + Used to advertise the CA bundle for the impersonation proxy endpoint. type: string secretName: - description: SecretName is the name of a Secret in the same - namespace, of type `kubernetes.io/tls`, which contains the - TLS serving certificate for the Concierge impersonation - proxy endpoint. + description: |- + SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the Concierge impersonation proxy endpoint. minLength: 1 type: string type: object @@ -131,9 +138,9 @@ spec: description: CredentialIssuerStatus describes the status of the Concierge. properties: kubeConfigInfo: - description: Information needed to form a valid Pinniped-based kubeconfig - using this credential issuer. This field is deprecated and will - be removed in a future version. + description: |- + Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + This field is deprecated and will be removed in a future version. properties: certificateAuthorityData: description: The K8s API server CA bundle. @@ -160,9 +167,9 @@ spec: this strategy. properties: impersonationProxyInfo: - description: ImpersonationProxyInfo describes the parameters - for the impersonation proxy on this Concierge. This field - is only set when Type is "ImpersonationProxy". + description: |- + ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge. + This field is only set when Type is "ImpersonationProxy". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded @@ -180,9 +187,9 @@ spec: - endpoint type: object tokenCredentialRequestInfo: - description: TokenCredentialRequestAPIInfo describes the - parameters for the TokenCredentialRequest API on this - Concierge. This field is only set when Type is "TokenCredentialRequestAPI". + description: |- + TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge. + This field is only set when Type is "TokenCredentialRequestAPI". properties: certificateAuthorityData: description: CertificateAuthorityData is the base64-encoded diff --git a/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml b/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml index 6f50730c8..7bf231443 100644 --- a/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml +++ b/generated/1.28/crds/config.supervisor.pinniped.dev_federationdomains.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: federationdomains.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -32,14 +32,19 @@ spec: description: FederationDomain describes the configuration of an OIDC provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,63 +52,54 @@ spec: description: Spec of the OIDC provider. properties: identityProviders: - description: "IdentityProviders is the list of identity providers - available for use by this FederationDomain. \n An identity provider - CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes - how to connect to a server, how to talk in a specific protocol for - authentication, and how to use the schema of that server/protocol - to extract a normalized user identity. Normalized user identities - include a username and a list of group names. In contrast, IdentityProviders - describes how to use that normalized identity in those Kubernetes - clusters which belong to this FederationDomain. Each entry in IdentityProviders - can be configured with arbitrary transformations on that normalized - identity. For example, a transformation can add a prefix to all - usernames to help avoid accidental conflicts when multiple identity - providers have different users with the same username (e.g. \"idp1:ryan\" - versus \"idp2:ryan\"). Each entry in IdentityProviders can also - implement arbitrary authentication rejection policies. Even though - a user was able to authenticate with the identity provider, a policy - can disallow the authentication to the Kubernetes clusters that - belong to this FederationDomain. For example, a policy could disallow - the authentication unless the user belongs to a specific group in - the identity provider. \n For backwards compatibility with versions - of Pinniped which predate support for multiple identity providers, - an empty IdentityProviders list will cause the FederationDomain - to use all available identity providers which exist in the same - namespace, but also to reject all authentication requests when there - is more than one identity provider currently defined. In this backwards - compatibility mode, the name of the identity provider resource (e.g. - the Name of an OIDCIdentityProvider resource) will be used as the - name of the identity provider in this FederationDomain. This mode - is provided to make upgrading from older versions easier. However, - instead of relying on this backwards compatibility mode, please - consider this mode to be deprecated and please instead explicitly - list the identity provider using this IdentityProviders field." + description: |- + IdentityProviders is the list of identity providers available for use by this FederationDomain. + + + An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server, + how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to + extract a normalized user identity. Normalized user identities include a username and a list of group names. + In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which + belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations + on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid + accidental conflicts when multiple identity providers have different users with the same username (e.g. + "idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication + rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow + the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could + disallow the authentication unless the user belongs to a specific group in the identity provider. + + + For backwards compatibility with versions of Pinniped which predate support for multiple identity providers, + an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which + exist in the same namespace, but also to reject all authentication requests when there is more than one identity + provider currently defined. In this backwards compatibility mode, the name of the identity provider resource + (e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this + FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of + relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead + explicitly list the identity provider using this IdentityProviders field. items: description: FederationDomainIdentityProvider describes how an identity provider is made available in this FederationDomain. properties: displayName: - description: DisplayName is the name of this identity provider - as it will appear to clients. This name ends up in the kubeconfig - of end users, so changing the name of an identity provider - that is in use by end users will be a disruptive change for - those users. + description: |- + DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the + kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a + disruptive change for those users. minLength: 1 type: string objectRef: - description: ObjectRef is a reference to a Pinniped identity - provider resource. A valid reference is required. If the reference - cannot be resolved then the identity provider will not be - made available. Must refer to a resource of one of the Pinniped - identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider, - ActiveDirectoryIdentityProvider. + description: |- + ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required. + If the reference cannot be resolved then the identity provider will not be made available. + Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider, + LDAPIdentityProvider, ActiveDirectoryIdentityProvider. properties: apiGroup: - description: APIGroup is the group for the resource being - referenced. If APIGroup is not specified, the specified - Kind must be in the core API group. For any other third-party - types, APIGroup is required. + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. type: string kind: description: Kind is the type of resource being referenced @@ -117,17 +113,17 @@ spec: type: object x-kubernetes-map-type: atomic transforms: - description: Transforms is an optional way to specify transformations - to be applied during user authentication and session refresh. + description: |- + Transforms is an optional way to specify transformations to be applied during user authentication and + session refresh. properties: constants: description: Constants defines constant variables and their values which will be made available to the transform expressions. items: - description: FederationDomainTransformsConstant defines - a constant variable and its value which will be made - available to the transform expressions. This is a union - type, and Type is the discriminator field. + description: |- + FederationDomainTransformsConstant defines a constant variable and its value which will be made available to + the transform expressions. This is a union type, and Type is the discriminator field. properties: name: description: Name determines the name of the constant. @@ -162,25 +158,21 @@ spec: - name x-kubernetes-list-type: map examples: - description: Examples can optionally be used to ensure that - the sequence of transformation expressions are working - as expected. Examples define sample input identities which - are then run through the expression list, and the results - are compared to the expected results. If any example in - this list fails, then this identity provider will not - be available for use within this FederationDomain, and - the error(s) will be added to the FederationDomain status. - This can be used to help guard against programming mistakes - in the expressions, and also act as living documentation - for other administrators to better understand the expressions. + description: |- + Examples can optionally be used to ensure that the sequence of transformation expressions are working as + expected. Examples define sample input identities which are then run through the expression list, and the + results are compared to the expected results. If any example in this list fails, then this + identity provider will not be available for use within this FederationDomain, and the error(s) will be + added to the FederationDomain status. This can be used to help guard against programming mistakes in the + expressions, and also act as living documentation for other administrators to better understand the expressions. items: description: FederationDomainTransformsExample defines a transform example. properties: expects: - description: Expects is the expected output of the - entire sequence of transforms when they are run - against the input Username and Groups. + description: |- + Expects is the expected output of the entire sequence of transforms when they are run against the + input Username and Groups. properties: groups: description: Groups is the expected list of group @@ -189,27 +181,18 @@ spec: type: string type: array message: - description: Message is the expected error message - of the transforms. When Rejected is true, then - Message is the expected message for the policy - which rejected the authentication attempt. When - Rejected is true and Message is blank, then - Message will be treated as the default error - message for authentication attempts which are - rejected by a policy. When Rejected is false, - then Message is the expected error message for - some other non-policy transformation error, - such as a runtime error. When Rejected is false, - there is no default expected Message. + description: |- + Message is the expected error message of the transforms. When Rejected is true, then Message is the expected + message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank, + then Message will be treated as the default error message for authentication attempts which are rejected by a + policy. When Rejected is false, then Message is the expected error message for some other non-policy + transformation error, such as a runtime error. When Rejected is false, there is no default expected Message. type: string rejected: - description: Rejected is a boolean that indicates - whether authentication is expected to be rejected - by a policy expression after the transformations - have been applied. True means that it is expected - that the authentication would be rejected. The - default value of false means that it is expected - that the authentication would not be rejected + description: |- + Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression + after the transformations have been applied. True means that it is expected that the authentication would be + rejected. The default value of false means that it is expected that the authentication would not be rejected by any policy expression. type: boolean username: @@ -232,44 +215,38 @@ spec: type: object type: array expressions: - description: "Expressions are an optional list of transforms - and policies to be executed in the order given during - every authentication attempt, including during every session - refresh. Each is a CEL expression. It may use the basic - CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md - plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings. - \n The username and groups extracted from the identity - provider, and the constants defined in this CR, are available - as variables in all expressions. The username is provided - via a variable called `username` and the list of group - names is provided via a variable called `groups` (which - may be an empty list). Each user-provided constants is - provided via a variable named `strConst.varName` for string - constants and `strListConst.varName` for string list constants. - \n The only allowed types for expressions are currently - policy/v1, username/v1, and groups/v1. Each policy/v1 - must return a boolean, and when it returns false, no more - expressions from the list are evaluated and the authentication - attempt is rejected. Transformations of type policy/v1 - do not return usernames or group names, and therefore - cannot change the username or group names. Each username/v1 - transform must return the new username (a string), which - can be the same as the old username. Transformations of - type username/v1 do not return group names, and therefore - cannot change the group names. Each groups/v1 transform - must return the new groups list (list of strings), which - can be the same as the old groups list. Transformations - of type groups/v1 do not return usernames, and therefore - cannot change the usernames. After each expression, the - new (potentially changed) username or groups get passed - to the following expression. \n Any compilation or static - type-checking failure of any expression will cause an - error status on the FederationDomain. During an authentication - attempt, any unexpected runtime evaluation errors (e.g. - division by zero) cause the authentication attempt to - fail. When all expressions evaluate successfully, then - the (potentially changed) username and group names have - been decided for that authentication attempt." + description: |- + Expressions are an optional list of transforms and policies to be executed in the order given during every + authentication attempt, including during every session refresh. + Each is a CEL expression. It may use the basic CEL language as defined in + https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in + https://github.com/google/cel-go/tree/master/ext#strings. + + + The username and groups extracted from the identity provider, and the constants defined in this CR, are + available as variables in all expressions. The username is provided via a variable called `username` and + the list of group names is provided via a variable called `groups` (which may be an empty list). + Each user-provided constants is provided via a variable named `strConst.varName` for string constants + and `strListConst.varName` for string list constants. + + + The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1. + Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated + and the authentication attempt is rejected. + Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the + username or group names. + Each username/v1 transform must return the new username (a string), which can be the same as the old username. + Transformations of type username/v1 do not return group names, and therefore cannot change the group names. + Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old + groups list. + Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames. + After each expression, the new (potentially changed) username or groups get passed to the following expression. + + + Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain. + During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the + authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username + and group names have been decided for that authentication attempt. items: description: FederationDomainTransformsExpression defines a transform expression. @@ -280,10 +257,9 @@ spec: minLength: 1 type: string message: - description: Message is only used when Type is policy/v1. - It defines an error message to be used when the - policy rejects an authentication attempt. When empty, - a default message will be used. + description: |- + Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects + an authentication attempt. When empty, a default message will be used. type: string type: description: Type determines the type of the expression. @@ -305,14 +281,16 @@ spec: type: object type: array issuer: - description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery - Metadata document, as well as the identifier that it will use for - the iss claim in issued JWTs. This field will also be used as the - base URL for any endpoints used by the OIDC Provider (e.g., if your - issuer is https://example.com/foo, then your authorization endpoint - will look like https://example.com/foo/some/path/to/auth/endpoint). - \n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 - for more information." + description: |- + Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the + identifier that it will use for the iss claim in issued JWTs. This field will also be used as + the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is + https://example.com/foo, then your authorization endpoint will look like + https://example.com/foo/some/path/to/auth/endpoint). + + + See + https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. minLength: 1 type: string tls: @@ -320,26 +298,28 @@ spec: Security (TLS) configuration for the FederationDomain. properties: secretName: - description: "SecretName is an optional name of a Secret in the - same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by - this FederationDomain. When provided, the TLS Secret named here - must contain keys named `tls.crt` and `tls.key` that contain - the certificate and private key to use for TLS. \n Server Name - Indication (SNI) is an extension to the Transport Layer Security - (TLS) supported by all major browsers. \n SecretName is required - if you would like to use different TLS certificates for issuers - of different hostnames. SNI requests do not include port numbers, - so all issuers with the same DNS hostname must use the same - SecretName value even if they have different port numbers. \n - SecretName is not required when you would like to use only the - HTTP endpoints (e.g. when the HTTP listener is configured to - listen on loopback interfaces or UNIX domain sockets for traffic - from a service mesh sidecar). It is also not required when you - would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." + description: |- + SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret + named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + for TLS. + + + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + + + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. + + + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is + configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar). + It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + use the default TLS certificate, which is configured elsewhere. + + + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. type: string type: object required: @@ -353,42 +333,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -402,11 +382,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -434,46 +415,55 @@ spec: secrets. properties: jwks: - description: JWKS holds the name of the corev1.Secret in which - this OIDC Provider's signing/verification keys are stored. If - it is empty, then the signing/verification keys are either unknown - or they don't exist. + description: |- + JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are + stored. If it is empty, then the signing/verification keys are either unknown or they don't + exist. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateEncryptionKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for encrypting state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + encrypting state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic stateSigningKey: - description: StateSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing state parameters - is stored. + description: |- + StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing state parameters is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic tokenSigningKey: - description: TokenSigningKey holds the name of the corev1.Secret - in which this OIDC Provider's key for signing tokens is stored. + description: |- + TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for + signing tokens is stored. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic diff --git a/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml index c61c4b154..0960ca0de 100644 --- a/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.28/crds/config.supervisor.pinniped.dev_oidcclients.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcclients.config.supervisor.pinniped.dev spec: group: config.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: description: OIDCClient describes the configuration of an OIDC client. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,17 +55,19 @@ spec: description: Spec of the OIDC client. properties: allowedGrantTypes: - description: "allowedGrantTypes is a list of the allowed grant_type - param values that should be accepted during OIDC flows with this - client. \n Must only contain the following values: - authorization_code: - allows the client to perform the authorization code grant flow, - i.e. allows the webapp to authenticate users. This grant must always - be listed. - refresh_token: allows the client to perform refresh - grants for the user to extend the user's session. This grant must - be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange: - allows the client to perform RFC8693 token exchange, which is a - step in the process to be able to get a cluster credential for the - user. This grant must be listed if allowedScopes lists pinniped:request-audience." + description: |- + allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this + client. + + + Must only contain the following values: + - authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to + authenticate users. This grant must always be listed. + - refresh_token: allows the client to perform refresh grants for the user to extend the user's session. + This grant must be listed if allowedScopes lists offline_access. + - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + This grant must be listed if allowedScopes lists pinniped:request-audience. items: enum: - authorization_code @@ -71,12 +78,11 @@ spec: type: array x-kubernetes-list-type: set allowedRedirectURIs: - description: allowedRedirectURIs is a list of the allowed redirect_uri - param values that should be accepted during OIDC flows with this - client. Any other uris will be rejected. Must be a URI with the - https scheme, unless the hostname is 127.0.0.1 or ::1 which may - use the http scheme. Port numbers are not required for 127.0.0.1 - or ::1 and are ignored when checking for a matching redirect_uri. + description: |- + allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this + client. Any other uris will be rejected. + Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme. + Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri. items: pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/ type: string @@ -84,27 +90,24 @@ spec: type: array x-kubernetes-list-type: set allowedScopes: - description: "allowedScopes is a list of the allowed scopes param - values that should be accepted during OIDC flows with this client. - \n Must only contain the following values: - openid: The client - is allowed to request ID tokens. ID tokens only include the required - claims by default (iss, sub, aud, exp, iat). This scope must always - be listed. - offline_access: The client is allowed to request an - initial refresh token during the authorization code grant flow. - This scope must be listed if allowedGrantTypes lists refresh_token. - - pinniped:request-audience: The client is allowed to request a - new audience value during a RFC8693 token exchange, which is a step - in the process to be able to get a cluster credential for the user. - openid, username and groups scopes must be listed when this scope - is present. This scope must be listed if allowedGrantTypes lists - urn:ietf:params:oauth:grant-type:token-exchange. - username: The - client is allowed to request that ID tokens contain the user's username. - Without the username scope being requested and allowed, the ID token - will not contain the user's username. - groups: The client is allowed - to request that ID tokens contain the user's group membership, if - their group membership is discoverable by the Supervisor. Without - the groups scope being requested and allowed, the ID token will - not contain groups." + description: |- + allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. + + + Must only contain the following values: + - openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat). + This scope must always be listed. + - offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow. + This scope must be listed if allowedGrantTypes lists refresh_token. + - pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange, + which is a step in the process to be able to get a cluster credential for the user. + openid, username and groups scopes must be listed when this scope is present. + This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange. + - username: The client is allowed to request that ID tokens contain the user's username. + Without the username scope being requested and allowed, the ID token will not contain the user's username. + - groups: The client is allowed to request that ID tokens contain the user's group membership, + if their group membership is discoverable by the Supervisor. + Without the groups scope being requested and allowed, the ID token will not contain groups. items: enum: - openid @@ -129,42 +132,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -178,11 +181,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 7bb486de5..414ac4f51 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: an upstream Microsoft Active Directory identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,19 +55,16 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the ActiveDirectory server - to be allowed to perform searches and binds to validate a user's - credentials during a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - Active Directory bind user. This account will be used to perform - LDAP searches. The Secret should be of type "kubernetes.io/basic-auth" - which includes "username" and "password" keys. The username - value should be the full dn (distinguished name) of your bind - account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password must be non-empty. minLength: 1 type: string @@ -74,87 +76,85 @@ spec: for a user's group membership in ActiveDirectory. properties: attributes: - description: Attributes specifies how the group's information - should be read from each ActiveDirectory entry which was found - as the result of the group search. + description: |- + Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the Active Directory entries whose value shall become - a group name in the user's list of groups after a successful - authentication. The value of this field is case-sensitive - and must match the case of the attribute name returned by - the ActiveDirectory server in the user's entry. E.g. "cn" - for common name. Distinguished names can be used by specifying - lower-case "dn". Optional. When not specified, this defaults - to a custom field that looks like "sAMAccountName@domain", - where domain is constructed from the domain components of - the group DN. + description: |- + GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name + in the user's list of groups after a successful authentication. + The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain", + where domain is constructed from the domain components of the group DN. type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for groups. - It may make sense to specify a subtree as a search base if you - wish to exclude some groups for security reasons or to make - searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some groups + for security reasons or to make searches faster. type: string filter: - description: Filter is the ActiveDirectory search filter which - should be applied when searching for groups for a user. The - pattern "{}" must occur in the filter at least once and will - be dynamically replaced by the value of an attribute of the - user entry found as a result of the user search. Which attribute's - value is used to replace the placeholder(s) depends on the value - of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". + description: |- + Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. + E.g. "member={}" or "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". - This searches nested groups by default. Note that nested group - search can be slow for some Active Directory servers. To disable - it, you can set the filter to "(&(objectClass=group)(member={})" + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the filter were specified as + "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})". + This searches nested groups by default. + Note that nested group search can be slow for some Active Directory servers. To disable it, + you can set the filter to + "(&(objectClass=group)(member={})" type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -176,49 +176,46 @@ spec: a user by name in Active Directory. properties: attributes: - description: Attributes specifies how the user's information should - be read from the ActiveDirectory entry which was found as the - result of the user search. + description: |- + Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - ActiveDirectory entry which whose value shall be used to - uniquely identify the user within this ActiveDirectory provider - after a successful authentication. Optional, when empty - this defaults to "objectGUID". + description: |- + UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely + identify the user within this ActiveDirectory provider after a successful authentication. + Optional, when empty this defaults to "objectGUID". type: string username: - description: Username specifies the name of the attribute - in Active Directory entry whose value shall become the username - of the user after a successful authentication. Optional, - when empty this defaults to "userPrincipalName". + description: |- + Username specifies the name of the attribute in Active Directory entry whose value shall become the username + of the user after a successful authentication. + Optional, when empty this defaults to "userPrincipalName". type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". - Optional, when not specified it will be based on the result - of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". + Optional, when not specified it will be based on the result of a query for the defaultNamingContext + (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse). The default behavior searches your entire domain for users. - It may make sense to specify a subtree as a search base if you - wish to exclude some users or to make searches faster. + It may make sense to specify a subtree as a search base if you wish to exclude some users + or to make searches faster. type: string filter: - description: Filter is the search filter which should be applied - when searching for users. The pattern "{}" must occur in the - filter at least once and will be dynamically replaced by the - username for which the search is being run. E.g. "mail={}" or - "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' - This means that the user is a person, is not a computer, the - sAMAccountType is for a normal user account, and is not shown - in advanced view only (which would likely mean its a system - created service account with advanced permissions). Also, either - the sAMAccountName, the userPrincipalName, or the mail attribute - matches the input username. + description: |- + Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will be + '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))' + This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, + and is not shown in advanced view only + (which would likely mean its a system created service account with advanced permissions). + Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username. type: string type: object required: @@ -232,42 +229,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -281,11 +278,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 85106cb82..f718e93aa 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ldapidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -31,18 +31,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: LDAPIdentityProvider describes the configuration of an upstream - Lightweight Directory Access Protocol (LDAP) identity provider. + description: |- + LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access + Protocol (LDAP) identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,20 +56,17 @@ spec: description: Spec for configuring the identity provider. properties: bind: - description: Bind contains the configuration for how to provide access - credentials during an initial bind to the LDAP server to be allowed - to perform searches and binds to validate a user's credentials during - a user's authentication attempt. + description: |- + Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server + to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the username and password for an - LDAP bind user. This account will be used to perform LDAP searches. - The Secret should be of type "kubernetes.io/basic-auth" which - includes "username" and "password" keys. The username value - should be the full dn (distinguished name) of your bind account, - e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password - must be non-empty. + description: |- + SecretName contains the name of a namespace-local Secret object that provides the username and + password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be + of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value + should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com". + The password must be non-empty. minLength: 1 type: string required: @@ -74,79 +77,75 @@ spec: for a user's group membership in the LDAP provider. properties: attributes: - description: Attributes specifies how the group's information - should be read from each LDAP entry which was found as the result - of the group search. + description: |- + Attributes specifies how the group's information should be read from each LDAP entry which was found as + the result of the group search. properties: groupName: - description: GroupName specifies the name of the attribute - in the LDAP entries whose value shall become a group name + description: |- + GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name in the user's list of groups after a successful authentication. - The value of this field is case-sensitive and must match - the case of the attribute name returned by the LDAP server - in the user's entry. E.g. "cn" for common name. Distinguished - names can be used by specifying lower-case "dn". Optional. - When not specified, the default will act as if the GroupName - were specified as "dn" (distinguished name). + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn". + Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name). type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com". - When not specified, no group search will be performed and authenticated - users will not belong to any groups from the LDAP provider. - Also, when not specified, the values of Filter, UserAttributeForFilter, - Attributes, and SkipGroupRefresh are ignored. + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g. + "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and + authenticated users will not belong to any groups from the LDAP provider. Also, when not specified, + the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored. type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for groups for a user. The pattern "{}" - must occur in the filter at least once and will be dynamically - replaced by the value of an attribute of the user entry found - as a result of the user search. Which attribute's value is used - to replace the placeholder(s) depends on the value of UserAttributeForFilter. + description: |- + Filter is the LDAP search filter which should be applied when searching for groups for a user. + The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the + value of an attribute of the user entry found as a result of the user search. Which attribute's + value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter. For more information about LDAP filters, see https://ldap.com/ldap-filters. - Note that the dn (distinguished name) is not an attribute of - an entry, so "dn={}" cannot be used. Optional. When not specified, - the default will act as if the Filter were specified as "member={}". + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as "member={}". type: string skipGroupRefresh: - description: "The user's group membership is refreshed as they - interact with the supervisor to obtain new credentials (as their - old credentials expire). This allows group membership changes - to be quickly reflected into Kubernetes clusters. Since group - membership is often used to bind authorization policies, it - is important to keep the groups observed in Kubernetes clusters - in-sync with the identity provider. \n In some environments, - frequent group membership queries may result in a significant - performance impact on the identity provider and/or the supervisor. - The best approach to handle performance impacts is to tweak - the group query to be more performant, for example by disabling - nested group search or by using a more targeted group search - base. \n If the group search query cannot be made performant - and you are willing to have group memberships remain static - for approximately a day, then set skipGroupRefresh to true. - \ This is an insecure configuration as authorization policies - that are bound to group membership will not notice if a user - has been removed from a particular group until their next login. - \n This is an experimental feature that may be removed or significantly - altered in the future. Consumers of this configuration should - carefully read all release notes before upgrading to ensure - that the meaning of this field has not changed." + description: |- + The user's group membership is refreshed as they interact with the supervisor + to obtain new credentials (as their old credentials expire). This allows group + membership changes to be quickly reflected into Kubernetes clusters. Since + group membership is often used to bind authorization policies, it is important + to keep the groups observed in Kubernetes clusters in-sync with the identity + provider. + + + In some environments, frequent group membership queries may result in a + significant performance impact on the identity provider and/or the supervisor. + The best approach to handle performance impacts is to tweak the group query + to be more performant, for example by disabling nested group search or by + using a more targeted group search base. + + + If the group search query cannot be made performant and you are willing to + have group memberships remain static for approximately a day, then set + skipGroupRefresh to true. This is an insecure configuration as authorization + policies that are bound to group membership will not notice if a user has + been removed from a particular group until their next login. + + + This is an experimental feature that may be removed or significantly altered + in the future. Consumers of this configuration should carefully read all + release notes before upgrading to ensure that the meaning of this field has + not changed. type: boolean userAttributeForFilter: - description: UserAttributeForFilter specifies which attribute's - value from the user entry found as a result of the user search - will be used to replace the "{}" placeholder(s) in the group - search Filter. For example, specifying "uid" as the UserAttributeForFilter - while specifying "&(objectClass=posixGroup)(memberUid={})" as - the Filter would search for groups by replacing the "{}" placeholder - in the Filter with the value of the user's "uid" attribute. - Optional. When not specified, the default will act as if "dn" - were specified. For example, leaving UserAttributeForFilter - unspecified while specifying "&(objectClass=groupOfNames)(member={})" - as the Filter would search for groups by replacing the "{}" - placeholder(s) with the dn (distinguished name) of the user. + description: |- + UserAttributeForFilter specifies which attribute's value from the user entry found as a result of + the user search will be used to replace the "{}" placeholder(s) in the group search Filter. + For example, specifying "uid" as the UserAttributeForFilter while specifying + "&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing + the "{}" placeholder in the Filter with the value of the user's "uid" attribute. + Optional. When not specified, the default will act as if "dn" were specified. For example, leaving + UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter + would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user. type: string type: object host: @@ -168,54 +167,46 @@ spec: a user by name in the LDAP provider. properties: attributes: - description: Attributes specifies how the user's information should - be read from the LDAP entry which was found as the result of - the user search. + description: |- + Attributes specifies how the user's information should be read from the LDAP entry which was found as + the result of the user search. properties: uid: - description: UID specifies the name of the attribute in the - LDAP entry which whose value shall be used to uniquely identify - the user within this LDAP provider after a successful authentication. - E.g. "uidNumber" or "objectGUID". The value of this field - is case-sensitive and must match the case of the attribute - name returned by the LDAP server in the user's entry. Distinguished - names can be used by specifying lower-case "dn". + description: |- + UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely + identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". minLength: 1 type: string username: - description: Username specifies the name of the attribute - in the LDAP entry whose value shall become the username - of the user after a successful authentication. This would - typically be the same attribute name used in the user search - filter, although it can be different. E.g. "mail" or "uid" - or "userPrincipalName". The value of this field is case-sensitive - and must match the case of the attribute name returned by - the LDAP server in the user's entry. Distinguished names - can be used by specifying lower-case "dn". When this field - is set to "dn" then the LDAPIdentityProviderUserSearch's - Filter field cannot be blank, since the default value of - "dn={}" would not work. + description: |- + Username specifies the name of the attribute in the LDAP entry whose value shall become the username + of the user after a successful authentication. This would typically be the same attribute name used in + the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName". + The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP + server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field + is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default + value of "dn={}" would not work. minLength: 1 type: string type: object base: - description: Base is the dn (distinguished name) that should be - used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com". + description: |- + Base is the dn (distinguished name) that should be used as the search base when searching for users. + E.g. "ou=users,dc=example,dc=com". minLength: 1 type: string filter: - description: Filter is the LDAP search filter which should be - applied when searching for users. The pattern "{}" must occur - in the filter at least once and will be dynamically replaced - by the username for which the search is being run. E.g. "mail={}" - or "&(objectClass=person)(uid={})". For more information about - LDAP filters, see https://ldap.com/ldap-filters. Note that the - dn (distinguished name) is not an attribute of an entry, so - "dn={}" cannot be used. Optional. When not specified, the default - will act as if the Filter were specified as the value from Attributes.Username - appended by "={}". When the Attributes.Username is set to "dn" - then the Filter must be explicitly specified, since the default - value of "dn={}" would not work. + description: |- + Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur + in the filter at least once and will be dynamically replaced by the username for which the search is being run. + E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see + https://ldap.com/ldap-filters. + Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used. + Optional. When not specified, the default will act as if the Filter were specified as the value from + Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be + explicitly specified, since the default value of "dn={}" would not work. type: string type: object required: @@ -229,42 +220,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -278,11 +269,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index 7bea863d7..486665605 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: oidcidentityproviders.idp.supervisor.pinniped.dev spec: group: idp.supervisor.pinniped.dev @@ -35,14 +35,19 @@ spec: OpenID Connect identity provider. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -50,39 +55,29 @@ spec: description: Spec for configuring the identity provider. properties: authorizationConfig: - description: AuthorizationConfig holds information about how to form - the OAuth2 authorization request parameters to be used with this - OIDC identity provider. + description: |- + AuthorizationConfig holds information about how to form the OAuth2 authorization request + parameters to be used with this OIDC identity provider. properties: additionalAuthorizeParameters: - description: additionalAuthorizeParameters are extra query parameters - that should be included in the authorize request to your OIDC - provider in the authorization request during an OIDC Authorization - Code Flow. By default, no extra parameters are sent. The standard - parameters that will be sent are "response_type", "scope", "client_id", - "state", "nonce", "code_challenge", "code_challenge_method", - and "redirect_uri". These parameters cannot be included in this - setting. Additionally, the "hd" parameter cannot be included - in this setting at this time. The "hd" parameter is used by - Google's OIDC provider to provide a hint as to which "hosted - domain" the user should use during login. However, Pinniped - does not yet support validating the hosted domain in the resulting - ID token, so it is not yet safe to use this feature of Google's - OIDC provider with Pinniped. This setting does not influence - the parameters sent to the token endpoint in the Resource Owner - Password Credentials Grant. The Pinniped Supervisor requires - that your OIDC provider returns refresh tokens to the Supervisor - from the authorization flows. Some OIDC providers may require - a certain value for the "prompt" parameter in order to properly - request refresh tokens. See the documentation of your OIDC provider's - authorization endpoint for its requirements for what to include - in the request in order to receive a refresh token in the response, - if anything. If your provider requires the prompt parameter - to request a refresh token, then include it here. Also note - that most providers also require a certain scope to be requested - in order to receive refresh tokens. See the additionalScopes - setting for more information about using scopes to request refresh - tokens. + description: |- + additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your + OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra + parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id", + "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be + included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time. + The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user + should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting + ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped. + This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password + Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the + Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt" + parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's + authorization endpoint for its requirements for what to include in the request in order to receive a refresh + token in the response, if anything. If your provider requires the prompt parameter to request a refresh token, + then include it here. Also note that most providers also require a certain scope to be requested in order to + receive refresh tokens. See the additionalScopes setting for more information about using scopes to request + refresh tokens. items: description: Parameter is a key/value pair which represents a parameter in an HTTP request. @@ -102,139 +97,109 @@ spec: - name x-kubernetes-list-type: map additionalScopes: - description: 'additionalScopes are the additional scopes that - will be requested from your OIDC provider in the authorization - request during an OIDC Authorization Code Flow and in the token - request during a Resource Owner Password Credentials Grant. - Note that the "openid" scope will always be requested regardless - of the value in this setting, since it is always required according - to the OIDC spec. By default, when this field is not set, the - Supervisor will request the following scopes: "openid", "offline_access", - "email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims - for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess - for a description of the "offline_access" scope. This default - value may change in future versions of Pinniped as the standard - evolves, or as common patterns used by providers who implement - the standard in the ecosystem evolve. By setting this list to - anything other than an empty list, you are overriding the default - value, so you may wish to include some of "offline_access", - "email", and "profile" in your override list. If you do not - want any of these scopes to be requested, you may set this list - to contain only "openid". Some OIDC providers may also require - a scope to get access to the user''s group membership, in which - case you may wish to include it in this list. Sometimes the - scope to request the user''s group membership is called "groups", - but unfortunately this is not specified in the OIDC standard. - Generally speaking, you should include any scopes required to - cause the appropriate claims to be the returned by your OIDC - provider in the ID token or userinfo endpoint results for those - claims which you would like to use in the oidcClaims settings - to determine the usernames and group memberships of your Kubernetes - users. See your OIDC provider''s documentation for more information - about what scopes are available to request claims. Additionally, - the Pinniped Supervisor requires that your OIDC provider returns - refresh tokens to the Supervisor from these authorization flows. - For most OIDC providers, the scope required to receive refresh - tokens will be "offline_access". See the documentation of your - OIDC provider''s authorization and token endpoints for its requirements - for what to include in the request in order to receive a refresh - token in the response, if anything. Note that it may be safe - to send "offline_access" even to providers which do not require - it, since the provider may ignore scopes that it does not understand - or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). - In the unusual case that you must avoid sending the "offline_access" - scope, then you must override the default value of this setting. - This is required if your OIDC provider will reject the request - when it includes "offline_access" (e.g. GitLab''s OIDC provider).' + description: |- + additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization + request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials + Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is + always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request + the following scopes: "openid", "offline_access", "email", and "profile". See + https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email" + scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the + "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves, + or as common patterns used by providers who implement the standard in the ecosystem evolve. + By setting this list to anything other than an empty list, you are overriding the + default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list. + If you do not want any of these scopes to be requested, you may set this list to contain only "openid". + Some OIDC providers may also require a scope to get access to the user's group membership, in which case you + may wish to include it in this list. Sometimes the scope to request the user's group membership is called + "groups", but unfortunately this is not specified in the OIDC standard. + Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by + your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in + the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See + your OIDC provider's documentation for more information about what scopes are available to request claims. + Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor + from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be + "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its + requirements for what to include in the request in order to receive a refresh token in the response, if anything. + Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider + may ignore scopes that it does not understand or require (see + https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the + "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC + provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider). items: type: string type: array allowPasswordGrant: - description: allowPasswordGrant, when true, will allow the use - of OAuth 2.0's Resource Owner Password Credentials Grant (see - https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to - authenticate to the OIDC provider using a username and password - without a web browser, in addition to the usual browser-based - OIDC Authorization Code Flow. The Resource Owner Password Credentials - Grant is not officially part of the OIDC specification, so it - may not be supported by your OIDC provider. If your OIDC provider - supports returning ID tokens from a Resource Owner Password - Credentials Grant token request, then you can choose to set - this field to true. This will allow end users to choose to present - their username and password to the kubectl CLI (using the Pinniped - plugin) to authenticate to the cluster, without using a web - browser to log in as is customary in OIDC Authorization Code - Flow. This may be convenient for users, especially for identities - from your OIDC provider which are not intended to represent - a human actor, such as service accounts performing actions in - a CI/CD environment. Even if your OIDC provider supports it, - you may wish to disable this behavior by setting this field - to false when you prefer to only allow users of this OIDCIdentityProvider - to log in via the browser-based OIDC Authorization Code Flow. - Using the Resource Owner Password Credentials Grant means that - the Pinniped CLI and Pinniped Supervisor will directly handle - your end users' passwords (similar to LDAPIdentityProvider), - and you will not be able to require multi-factor authentication - or use the other web-based login features of your OIDC provider - during Resource Owner Password Credentials Grant logins. allowPasswordGrant - defaults to false. + description: |- + allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant + (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a + username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow. + The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be + supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password + Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose + to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the + cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be + convenient for users, especially for identities from your OIDC provider which are not intended to represent a human + actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it, + you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this + OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password + Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords + (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other + web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins. + allowPasswordGrant defaults to false. type: boolean type: object claims: - description: Claims provides the names of token claims that will be - used when inspecting an identity from this OIDC identity provider. + description: |- + Claims provides the names of token claims that will be used when inspecting an identity from + this OIDC identity provider. properties: additionalClaimMappings: additionalProperties: type: string - description: AdditionalClaimMappings allows for additional arbitrary - upstream claim values to be mapped into the "additionalClaims" - claim of the ID tokens generated by the Supervisor. This should - be specified as a map of new claim names as the keys, and upstream - claim names as the values. These new claim names will be nested - under the top-level "additionalClaims" claim in ID tokens generated - by the Supervisor when this OIDCIdentityProvider was used for - user authentication. These claims will be made available to - all clients. This feature is not required to use the Supervisor - to provide authentication for Kubernetes clusters, but can be - used when using the Supervisor for other authentication purposes. - When this map is empty or the upstream claims are not available, - the "additionalClaims" claim will be excluded from the ID tokens - generated by the Supervisor. + description: |- + AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the + "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of + new claim names as the keys, and upstream claim names as the values. These new claim names will be nested + under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this + OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients. + This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be + used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims + are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor. type: object groups: - description: Groups provides the name of the ID token claim or - userinfo endpoint response claim that will be used to ascertain - the groups to which an identity belongs. By default, the identities - will not include any group memberships when this setting is - not configured. + description: |- + Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain + the groups to which an identity belongs. By default, the identities will not include any group memberships when + this setting is not configured. type: string username: - description: Username provides the name of the ID token claim - or userinfo endpoint response claim that will be used to ascertain - an identity's username. When not set, the username will be an - automatically constructed unique string which will include the - issuer URL of your OIDC provider along with the value of the - "sub" (subject) claim from the ID token. + description: |- + Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to + ascertain an identity's username. When not set, the username will be an automatically constructed unique string + which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from + the ID token. type: string type: object client: - description: OIDCClient contains OIDC client information to be used - used with this OIDC identity provider. + description: |- + OIDCClient contains OIDC client information to be used used with this OIDC identity + provider. properties: secretName: - description: SecretName contains the name of a namespace-local - Secret object that provides the clientID and clientSecret for - an OIDC client. If only the SecretName is specified in an OIDCClient - struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" - with keys "clientID" and "clientSecret". + description: |- + SecretName contains the name of a namespace-local Secret object that provides the clientID and + clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys + "clientID" and "clientSecret". type: string required: - secretName type: object issuer: - description: Issuer is the issuer URL of this OIDC identity provider, - i.e., where to fetch /.well-known/openid-configuration. + description: |- + Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + /.well-known/openid-configuration. minLength: 1 pattern: ^https:// type: string @@ -259,42 +224,42 @@ spec: current state. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -308,11 +273,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string