mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-07 14:05:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update generated code

Browse Source
This commit is contained in:
Benjamin A. Petersen
2024-05-01 12:59:27 -04:00
parent e0591500ce
commit d34f297b37
20 changed files with 1292 additions and 1450 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
generated/1.29/README.adoc generated
View File

@@ -1658,8 +1658,14 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. Defaults to using GitHub's public API ("github.com"). Do not specify a protocol or scheme since "https://" will always be used. Port is optional. Do not specify a path, query, fragment, or userinfo. Only domain name or IP address, subdomains (optional), and port (optional). IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address in square brackets. Example: "[::1]:443".
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server.
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
@@ -1676,7 +1682,7 @@ GitHubAllowAuthenticationSpec allows customization of who can authenticate using
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP.
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
@@ -1707,35 +1713,62 @@ GitHubClaims allows customization of the username and groups claims.
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, and may not start or end with hyphens. GitHub users are allowed to change their login name, although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", then a second user might change their name from "baz" to "foo" in order to take the old username of the first user. For this reason, it is not as safe to make authorization decisions based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these usernames are presented to Kubernetes. +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable choice to concatenate the two values. +
See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters or single hyphens, so the first forward slash `/` will be the separator between the organization login name and the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's FederationDomain to further customize how these group names are presented to Kubernetes. +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use for web-based login flows.
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
@@ -1745,16 +1778,20 @@ GitHubClientSpec contains information about the GitHub client that this identity
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an GitHub App or GitHub OAuth2 client. +
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group names to present to Kubernetes. See the response schema for [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
@@ -1766,8 +1803,12 @@ GitHubGroupNameAttribute allows the user to specify which attribute from GitHub
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider. This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured as OIDCClients.
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
@@ -1779,8 +1820,8 @@ GitHubIdentityProvider describes the configuration of an upstream GitHub identit
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
@@ -1811,10 +1852,10 @@ GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provid
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims.
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how.
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
@@ -1831,8 +1872,8 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider.
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
@@ -1851,19 +1892,30 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of allowedOrganizations means all GitHub users are allowed to log in.
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams within that organization. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
If no organizations are listed, you must set organizations: AllGitHubUsers.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present to Kubernetes. See the response schema for [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****