mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-04 20:24:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update generated code

Browse Source
This commit is contained in:
Benjamin A. Petersen
2024-05-01 12:59:27 -04:00
parent e0591500ce
commit d34f297b37
20 changed files with 1292 additions and 1450 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
generated/1.21/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated
View File

@@ -1,77 +0,0 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.21/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.21/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

332
generated/1.21/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated
View File

@@ -1,332 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: |-
Condition contains details for one aspect of the current state of this API Resource.
---
This struct is intended for direct use as an array at the field path .status.conditions. For example,
type FooStatus struct{
// Represents the observations of a foo's current state.
// Known .status.conditions.type are: "Available", "Progressing", and "Degraded"
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
// other fields
}
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

256
generated/1.22/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated
View File

@@ -1,256 +0,0 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

77
generated/1.22/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated
View File

@@ -1,77 +0,0 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.22/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.22/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.22/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

86
generated/1.22/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated
View File

@@ -1,86 +0,0 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.22/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderLister helps list GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderLister interface {
// List lists all GitHubIdentityProviders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister
GitHubIdentityProviderListerExpansion
}
// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface.
type gitHubIdentityProviderLister struct {
indexer cache.Indexer
}
// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister.
func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister {
return &gitHubIdentityProviderLister{indexer: indexer}
}
// List lists all GitHubIdentityProviders in the indexer.
func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister {
return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderNamespaceLister interface {
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.GitHubIdentityProvider, error)
GitHubIdentityProviderNamespaceListerExpansion
}
// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister
// interface.
type gitHubIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name)
}
return obj.(*v1alpha1.GitHubIdentityProvider), nil
}

332
generated/1.22/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated
View File

@@ -1,332 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: |-
Condition contains details for one aspect of the current state of this API Resource.
---
This struct is intended for direct use as an array at the field path .status.conditions. For example,
type FooStatus struct{
// Represents the observations of a foo's current state.
// Known .status.conditions.type are: "Available", "Progressing", and "Degraded"
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
// other fields
}
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

110
generated/1.24/README.adoc generated
View File

@@ -1658,8 +1658,14 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API ("github.com"). Do not specify a protocol or scheme since "https://" will always be used. Port is optional. Do not specify a path, query, fragment, or userinfo. Only domain name or IP address, subdomains (optional), and port (optional). IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address in square brackets. Example: "[::1]:443".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server.
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
@@ -1676,7 +1682,7 @@ GitHubAllowAuthenticationSpec allows customization of who can authenticate using
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP.
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
@@ -1707,35 +1713,62 @@ GitHubClaims allows customization of the username and groups claims.
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. +
See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
@@ -1745,16 +1778,20 @@ GitHubClientSpec contains information about the GitHub client that this identity
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. +
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
@@ -1766,8 +1803,12 @@ GitHubGroupNameAttribute allows the user to specify which attribute from GitHub
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
@@ -1779,8 +1820,8 @@ GitHubIdentityProvider describes the configuration of an upstream GitHub identit
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
@@ -1811,10 +1852,10 @@ GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provid
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims.
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how.
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
@@ -1831,8 +1872,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
@@ -1851,19 +1892,30 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in.
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
If no organizations are listed, you must set organizations: AllGitHubUsers.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****

110
generated/1.25/README.adoc generated
View File

@@ -1658,8 +1658,14 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API ("github.com"). Do not specify a protocol or scheme since "https://" will always be used. Port is optional. Do not specify a path, query, fragment, or userinfo. Only domain name or IP address, subdomains (optional), and port (optional). IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address in square brackets. Example: "[::1]:443".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server.
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
@@ -1676,7 +1682,7 @@ GitHubAllowAuthenticationSpec allows customization of who can authenticate using
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP.
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
@@ -1707,35 +1713,62 @@ GitHubClaims allows customization of the username and groups claims.
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. +
See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
@@ -1745,16 +1778,20 @@ GitHubClientSpec contains information about the GitHub client that this identity
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. +
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
@@ -1766,8 +1803,12 @@ GitHubGroupNameAttribute allows the user to specify which attribute from GitHub
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
@@ -1779,8 +1820,8 @@ GitHubIdentityProvider describes the configuration of an upstream GitHub identit
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
@@ -1811,10 +1852,10 @@ GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provid
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims.
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how.
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
@@ -1831,8 +1872,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
@@ -1851,19 +1892,30 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in.
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
If no organizations are listed, you must set organizations: AllGitHubUsers.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****

110
generated/1.26/README.adoc generated
View File

@@ -1658,8 +1658,14 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API ("github.com"). Do not specify a protocol or scheme since "https://" will always be used. Port is optional. Do not specify a path, query, fragment, or userinfo. Only domain name or IP address, subdomains (optional), and port (optional). IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address in square brackets. Example: "[::1]:443".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server.
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
@@ -1676,7 +1682,7 @@ GitHubAllowAuthenticationSpec allows customization of who can authenticate using
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP.
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
@@ -1707,35 +1713,62 @@ GitHubClaims allows customization of the username and groups claims.
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. +
See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
@@ -1745,16 +1778,20 @@ GitHubClientSpec contains information about the GitHub client that this identity
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. +
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
@@ -1766,8 +1803,12 @@ GitHubGroupNameAttribute allows the user to specify which attribute from GitHub
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
@@ -1779,8 +1820,8 @@ GitHubIdentityProvider describes the configuration of an upstream GitHub identit
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
@@ -1811,10 +1852,10 @@ GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provid
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims.
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how.
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
@@ -1831,8 +1872,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
@@ -1851,19 +1892,30 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in.
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
If no organizations are listed, you must set organizations: AllGitHubUsers.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****

110
generated/1.27/README.adoc generated
View File

@@ -1658,8 +1658,14 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API ("github.com"). Do not specify a protocol or scheme since "https://" will always be used. Port is optional. Do not specify a path, query, fragment, or userinfo. Only domain name or IP address, subdomains (optional), and port (optional). IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address in square brackets. Example: "[::1]:443".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server.
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
@@ -1676,7 +1682,7 @@ GitHubAllowAuthenticationSpec allows customization of who can authenticate using
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP.
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
@@ -1707,35 +1713,62 @@ GitHubClaims allows customization of the username and groups claims.
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. +
See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
@@ -1745,16 +1778,20 @@ GitHubClientSpec contains information about the GitHub client that this identity
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. +
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
@@ -1766,8 +1803,12 @@ GitHubGroupNameAttribute allows the user to specify which attribute from GitHub
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
@@ -1779,8 +1820,8 @@ GitHubIdentityProvider describes the configuration of an upstream GitHub identit
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
@@ -1811,10 +1852,10 @@ GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provid
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims.
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how.
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
@@ -1831,8 +1872,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
@@ -1851,19 +1892,30 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in.
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
If no organizations are listed, you must set organizations: AllGitHubUsers.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****

110
generated/1.28/README.adoc generated
View File

@@ -1658,8 +1658,14 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API ("github.com"). Do not specify a protocol or scheme since "https://" will always be used. Port is optional. Do not specify a path, query, fragment, or userinfo. Only domain name or IP address, subdomains (optional), and port (optional). IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address in square brackets. Example: "[::1]:443".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server.
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
@@ -1676,7 +1682,7 @@ GitHubAllowAuthenticationSpec allows customization of who can authenticate using
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP.
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
@@ -1707,35 +1713,62 @@ GitHubClaims allows customization of the username and groups claims.
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. +
See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
@@ -1745,16 +1778,20 @@ GitHubClientSpec contains information about the GitHub client that this identity
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. +
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
@@ -1766,8 +1803,12 @@ GitHubGroupNameAttribute allows the user to specify which attribute from GitHub
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
@@ -1779,8 +1820,8 @@ GitHubIdentityProvider describes the configuration of an upstream GitHub identit
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
@@ -1811,10 +1852,10 @@ GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provid
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims.
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how.
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
@@ -1831,8 +1872,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
@@ -1851,19 +1892,30 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in.
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
If no organizations are listed, you must set organizations: AllGitHubUsers.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****

110
generated/1.29/README.adoc generated
View File

@@ -1658,8 +1658,14 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API ("github.com"). Do not specify a protocol or scheme since "https://" will always be used. Port is optional. Do not specify a path, query, fragment, or userinfo. Only domain name or IP address, subdomains (optional), and port (optional). IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address in square brackets. Example: "[::1]:443".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server.
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
@@ -1676,7 +1682,7 @@ GitHubAllowAuthenticationSpec allows customization of who can authenticate using
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP.
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
@@ -1707,35 +1713,62 @@ GitHubClaims allows customization of the username and groups claims.
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. +
See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
@@ -1745,16 +1778,20 @@ GitHubClientSpec contains information about the GitHub client that this identity
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. +
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
@@ -1766,8 +1803,12 @@ GitHubGroupNameAttribute allows the user to specify which attribute from GitHub
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
@@ -1779,8 +1820,8 @@ GitHubIdentityProvider describes the configuration of an upstream GitHub identit
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
@@ -1811,10 +1852,10 @@ GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provid
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims.
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how.
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
@@ -1831,8 +1872,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
@@ -1851,19 +1892,30 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in.
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
If no organizations are listed, you must set organizations: AllGitHubUsers.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****

282
generated/1.30/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.3/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.3/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

0
generated/1.21/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go → generated/1.30/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated
View File

128
generated/1.30/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,128 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "go.pinniped.dev/generated/1.30/apis/supervisor/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface
type FakeGitHubIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var githubidentityprovidersResource = v1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders")
var githubidentityprovidersKind = v1alpha1.SchemeGroupVersion.WithKind("GitHubIdentityProvider")
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}

4
generated/1.21/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go → generated/1.30/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go generated
View File

@@ -9,8 +9,8 @@ import (
"context"
"time"
v1alpha1 "go.pinniped.dev/generated/1.21/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.21/client/supervisor/clientset/versioned/scheme"
v1alpha1 "go.pinniped.dev/generated/1.30/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.30/client/supervisor/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"

8
generated/1.23/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go → generated/1.30/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated
View File

@@ -9,10 +9,10 @@ import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.23/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.23/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.23/client/supervisor/listers/idp/v1alpha1"
idpv1alpha1 "go.pinniped.dev/generated/1.30/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.30/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.30/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.30/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"

2
generated/1.23/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go → generated/1.30/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated
View File

@@ -6,7 +6,7 @@
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.23/apis/supervisor/idp/v1alpha1"
v1alpha1 "go.pinniped.dev/generated/1.30/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"

0
generated/1.23/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml → generated/1.30/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated
View File

498
generated/latest/README.adoc generated
View File

File diff suppressed because it is too large Load Diff