diff --git a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl index 1e869247a..0ee0f0dbf 100644 --- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl +++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 3fef5a09e..d6e0632e1 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index f68201ae5..6b4c9c4cf 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 192ffaa79..9d555af3b 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 4bc125c32..344061cc2 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 1c9167e15..7e9cab09f 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index 6b6f46cc6..9a3c07faf 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index caf71a7a6..6d8677e20 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index c0efdc4c7..e534819a4 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -568,14 +568,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 15332b46c..c9c94198e 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -566,14 +566,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index c68d22d4f..77d7cc3c4 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -566,14 +566,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index f4fbe6608..b371df55f 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -566,14 +566,17 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". -| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. + If this field is empty, the impersonation proxy will generate its own TLS certificate. |=== [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] ==== ImpersonationProxyTLSSpec -ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret for a field called "ca.crt", which will be used as the CertificateAuthorityData. + If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for the impersonation proxy endpoint. .Appears In: **** diff --git a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml index 76b3a3db2..f27108627 100644 --- a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -104,8 +104,9 @@ spec: type: string type: object tls: - description: TLS contains information about how the Concierge - impersonation proxy should serve TLS. + description: "TLS contains information about how the Concierge + impersonation proxy should serve TLS. \n If this field is empty, + the impersonation proxy will generate its own TLS certificate." properties: certificateAuthorityData: description: X.509 Certificate Authority (base64-encoded PEM diff --git a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go index 1e869247a..0ee0f0dbf 100644 --- a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -82,6 +82,12 @@ const ( // ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should // serve TLS. +// +// If CertificateAuthorityData is not provided, the Concierge impersonation proxy will check the secret +// for a field called "ca.crt", which will be used as the CertificateAuthorityData. +// +// If neither CertificateAuthorityData nor ca.crt is provided, no CA bundle will be advertised for +// the impersonation proxy endpoint. type ImpersonationProxyTLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). // Used to advertise the CA bundle for the impersonation proxy endpoint. @@ -119,6 +125,8 @@ type ImpersonationProxySpec struct { // TLS contains information about how the Concierge impersonation proxy should serve TLS. // + // If this field is empty, the impersonation proxy will generate its own TLS certificate. + // // +optional TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go index e3978b474..401abf0f4 100644 --- a/internal/controller/impersonatorconfig/impersonator_config.go +++ b/internal/controller/impersonatorconfig/impersonator_config.go @@ -328,7 +328,8 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre func (c *impersonatorConfigController) ensureCAAndTLSSecrets( ctx context.Context, - nameInfo *certNameInfo) ([]byte, error) { + nameInfo *certNameInfo, +) ([]byte, error) { var ( impersonationCA *certauthority.CA err error @@ -349,7 +350,8 @@ func (c *impersonatorConfigController) ensureCAAndTLSSecrets( func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret( ctx context.Context, - tlsSpec *v1alpha1.ImpersonationProxyTLSSpec) ([]byte, error) { + tlsSpec *v1alpha1.ImpersonationProxyTLSSpec, +) ([]byte, error) { if tlsSpec.SecretName == "" { return nil, fmt.Errorf("must provide impersonationSpec.TLS.secretName if impersonationSpec.TLS is provided") } @@ -378,6 +380,11 @@ func (c *impersonatorConfigController) evaluateExternallyProvidedTLSSecret( return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: %w", err) } + block, _ := pem.Decode(caBundle) + if block == nil { + return nil, fmt.Errorf("could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate") + } + c.infoLog.Info("the impersonation proxy will advertise its CA Bundle from impersonationSpec.TLS.CertificateAuthorityData", "CertificateAuthorityData", caBundle) } @@ -723,7 +730,27 @@ func (c *impersonatorConfigController) readExternalTLSSecret(externalTLSSecretNa return nil, err } - return secretFromInformer.Data[caCrtKey], nil + base64EncodedCaCert := secretFromInformer.Data[caCrtKey] + + if len(base64EncodedCaCert) > 0 { + var decodedCaCert []byte + decodedCaCert, err = base64.StdEncoding.DecodeString(string(secretFromInformer.Data[caCrtKey])) + if err != nil { + err = fmt.Errorf("unable to read provided ca.crt: %w", err) + plog.Error("error loading cert from externally provided TLS secret for the impersonation proxy", err) + return nil, err + } + + block, _ := pem.Decode(decodedCaCert) + if block == nil { + plog.Warning("error loading cert from externally provided TLS secret for the impersonation proxy: data is not a certificate") + return nil, fmt.Errorf("unable to read provided ca.crt: data is not a certificate") + } + + return decodedCaCert, nil + } + + return nil, nil } func (c *impersonatorConfigController) ensureTLSSecret(ctx context.Context, nameInfo *certNameInfo, ca *certauthority.CA) error { diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index 6a805f794..b25dadcf8 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -1278,11 +1278,85 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }) }) + when("the CertificateAuthorityData is configured with invalid data", func() { + it.Before(func() { + addNodeWithRoleToTracker("worker", kubeAPIClient) + }) + + when("CertificateAuthorityData is not base64 encoded", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + CertificateAuthorityData: string(externalCA.Bundle()), + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not decode impersonationSpec.TLS.certificateAuthorityData: illegal base64 data at input byte 0") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not decode impersonationSpec.TLS.certificateAuthorityData: illegal base64 data at input byte 0")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + + when("CertificateAuthorityData is not a cert", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("hello")), + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not decode impersonationSpec.TLS.certificateAuthorityData: data is not a certificate")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + }) + when("the CertificateAuthorityData is not configured", func() { + it.Before(func() { + addNodeWithRoleToTracker("worker", kubeAPIClient) + }) + when("the externally provided TLS secret has a ca.crt field", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) - externalTLSSecret.Data["ca.crt"] = externalCA.Bundle() + externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString(externalCA.Bundle())) addSecretToTrackers(externalTLSSecret, kubeInformerClient) addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, @@ -1299,7 +1373,6 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }, }, }, pinnipedInformerClient, pinnipedAPIClient) - addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("will advertise ca.crt from the externally provided secret", func() { @@ -1307,12 +1380,76 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) - requireTLSServerIsRunning(externalTLSSecret.Data["ca.crt"], testServerAddr(), nil) - requireCredentialIssuer(newSuccessStrategy(localhostIP, externalTLSSecret.Data["ca.crt"])) + requireTLSServerIsRunning(externalCA.Bundle(), testServerAddr(), nil) + requireCredentialIssuer(newSuccessStrategy(localhostIP, externalCA.Bundle())) requireMTLSClientCertProviderHasLoadedCerts(mTLSClientCertCACertPEM, mTLSClientCertCAPrivateKeyPEM) }) }) + when("the externally provided TLS secret has a ca.crt field that is not base64-encoded", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + externalTLSSecret.Data["ca.crt"] = []byte("hello") + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + + when("the externally provided TLS secret has a ca.crt field that is not a valid cert", func() { + it.Before(func() { + addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) + externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString([]byte("hello"))) + addSecretToTrackers(externalTLSSecret, kubeInformerClient) + addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{ + ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName}, + Spec: v1alpha1.CredentialIssuerSpec{ + ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{ + Mode: v1alpha1.ImpersonationProxyModeAuto, + ExternalEndpoint: localhostIP, + Service: v1alpha1.ImpersonationProxyServiceSpec{ + Type: v1alpha1.ImpersonationProxyServiceTypeNone, + }, + TLS: &v1alpha1.ImpersonationProxyTLSSpec{ + SecretName: externallyProvidedTLSSecretName, + }, + }, + }, + }, pinnipedInformerClient, pinnipedAPIClient) + }) + + it("returns an error", func() { + startInformersAndController() + r.Error(runControllerSync(), "could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: data is not a certificate") + r.Len(kubeAPIClient.Actions(), 1) + requireNodesListed(kubeAPIClient.Actions()[0]) + requireCredentialIssuer(newErrorStrategy("could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: data is not a certificate")) + requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{}) + }) + }) + when("the externally provided TLS secret does not have a ca.crt field", func() { it.Before(func() { addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient) @@ -1332,7 +1469,6 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }, }, }, pinnipedInformerClient, pinnipedAPIClient) - addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("will advertise an empty CA bundle", func() { diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index a456451c2..42ed3c9c9 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -1787,29 +1787,39 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl externallyProvidedTLSServingCertPEM, externallyProvidedTLSServingKeyPEM, err = externallyProvidedCA.IssueServerCertPEM([]string{proxyServiceEndpoint}, nil, 1*time.Hour) require.NoError(t, err) - externallyProvidedTLSServingCertSecretName := "external-tls-cert-secret-name" //nolint:gosec // this is not a credential - externallyProvidedTLSServingCertSecret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: externallyProvidedTLSServingCertSecretName, - Namespace: env.ConciergeNamespace, - }, - Type: corev1.SecretTypeTLS, - Data: map[string][]byte{ - v1.TLSCertKey: externallyProvidedTLSServingCertPEM, - v1.TLSPrivateKeyKey: externallyProvidedTLSServingKeyPEM, - }, - } - - _, err = adminClient.CoreV1().Secrets(env.ConciergeNamespace).Create(ctx, externallyProvidedTLSServingCertSecret, metav1.CreateOptions{}) - require.NoError(t, err) - - t.Cleanup(func() { - err := adminClient.CoreV1().Secrets(env.ConciergeNamespace).Delete(ctx, externallyProvidedTLSServingCertSecretName, metav1.DeleteOptions{}) - require.NoError(t, err) - }) + externallyProvidedTLSServingCertSecret := testlib.CreateTestSecret( + t, + env.ConciergeNamespace, + "external-tls-cert-secret-name", + corev1.SecretTypeTLS, + map[string]string{ + v1.TLSCertKey: string(externallyProvidedTLSServingCertPEM), + v1.TLSPrivateKeyKey: string(externallyProvidedTLSServingKeyPEM), + }) _, originalInternallyGeneratedCAPEM := performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient) + t.Cleanup(func() { + // Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an + // internally generated TLS serving cert derived from the original CA. + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ + ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ + Mode: conciergev1alpha.ImpersonationProxyModeEnabled, + ExternalEndpoint: proxyServiceEndpoint, + Service: conciergev1alpha.ImpersonationProxyServiceSpec{ + Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, + }, + }, + }) + + // Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated to the original CA bundle + testlib.RequireEventuallyWithoutError(t, func() (bool, error) { + _, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient) + + return bytes.Equal(impersonationProxyCACertPEM, originalInternallyGeneratedCAPEM), nil + }, 2*time.Minute, 500*time.Millisecond) + }) + updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ Mode: conciergev1alpha.ImpersonationProxyModeEnabled, @@ -1819,7 +1829,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl }, TLS: &conciergev1alpha.ImpersonationProxyTLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(externallyProvidedCA.Bundle()), - SecretName: externallyProvidedTLSServingCertSecretName, + SecretName: externallyProvidedTLSServingCertSecret.Name, }, }, }) @@ -1835,25 +1845,6 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl _, newImpersonationProxyCACertPEM := performImpersonatorDiscovery(ctx, t, env, adminClient, adminConciergeClient, refreshCredential) return bytes.Equal(newImpersonationProxyCACertPEM, externallyProvidedCA.Bundle()), err }, 2*time.Minute, 500*time.Millisecond) - - // Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an - // internally generated TLS serving cert derived from the original CA. - updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{ - ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{ - Mode: conciergev1alpha.ImpersonationProxyModeEnabled, - ExternalEndpoint: proxyServiceEndpoint, - Service: conciergev1alpha.ImpersonationProxyServiceSpec{ - Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP, - }, - }, - }) - - // Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated to the original CA bundle - testlib.RequireEventuallyWithoutError(t, func() (bool, error) { - _, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient) - - return bytes.Equal(impersonationProxyCACertPEM, originalInternallyGeneratedCAPEM), nil - }, 2*time.Minute, 500*time.Millisecond) }) t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) {