diff --git a/.golangci.yaml b/.golangci.yaml index 1504f4263..d4e5e5e77 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -100,3 +100,16 @@ linters-settings: alias: utilerrors - pkg: k8s.io/apimachinery/pkg/api/errors alias: apierrors + - pkg: k8s.io/apimachinery/pkg/apis/meta/v1 + alias: metav1 + # k8s.io libs + - pkg: k8s.io/api/core/v1 + alias: corev1 + # OAuth2/OIDC/Fosite libs + - pkg: github.com/coreos/go-oidc/v3/oidc + alias: coreosoidc + - pkg: github.com/ory/fosite/handler/oauth2 + alias: fositeoauth2 + # Generated Pinniped libs + - pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1 + alias: authenticationv1alpha1 diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go index 0265fab9f..85c04bbbc 100644 --- a/cmd/pinniped/cmd/kubeconfig.go +++ b/cmd/pinniped/cmd/kubeconfig.go @@ -25,7 +25,7 @@ import ( clientcmdapi "k8s.io/client-go/tools/clientcmd/api" "k8s.io/utils/strings/slices" - conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1" oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" @@ -477,7 +477,7 @@ func logStrategies(credentialIssuer *configv1alpha1.CredentialIssuer, log plog.M func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconfigParams, log plog.MinLogger) error { switch auth := authenticator.(type) { - case *conciergev1alpha1.WebhookAuthenticator: + case *authenticationv1alpha1.WebhookAuthenticator: // If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set // them to point at the discovered WebhookAuthenticator. if flags.concierge.authenticatorType == "" && flags.concierge.authenticatorName == "" { @@ -485,7 +485,7 @@ func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconf flags.concierge.authenticatorType = "webhook" flags.concierge.authenticatorName = auth.Name } - case *conciergev1alpha1.JWTAuthenticator: + case *authenticationv1alpha1.JWTAuthenticator: // If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set // them to point at the discovered JWTAuthenticator. if flags.concierge.authenticatorType == "" && flags.concierge.authenticatorName == "" { diff --git a/cmd/pinniped/cmd/kubeconfig_test.go b/cmd/pinniped/cmd/kubeconfig_test.go index 656d5126b..7a791c44f 100644 --- a/cmd/pinniped/cmd/kubeconfig_test.go +++ b/cmd/pinniped/cmd/kubeconfig_test.go @@ -20,7 +20,7 @@ import ( "k8s.io/client-go/tools/clientcmd" "k8s.io/utils/ptr" - conciergev1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" fakeconciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" @@ -64,12 +64,12 @@ func TestGetKubeconfig(t *testing.T) { } jwtAuthenticator := func(issuerCABundle string, issuerURL string) runtime.Object { - return &conciergev1alpha1.JWTAuthenticator{ + return &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, - Spec: conciergev1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: issuerURL, Audience: "test-audience", - TLS: &conciergev1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(issuerCABundle)), }, }, @@ -445,10 +445,10 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ &configv1alpha1.CredentialIssuer{ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"}}, - &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}}, - &conciergev1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}}, - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}}, - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}}, + &authenticationv1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-1"}}, + &authenticationv1alpha1.JWTAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-2"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-3"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator-4"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -485,7 +485,7 @@ func TestGetKubeconfig(t *testing.T) { }}, }, }, - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -546,7 +546,7 @@ func TestGetKubeconfig(t *testing.T) { }, }, }, - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -571,7 +571,7 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -615,12 +615,12 @@ func TestGetKubeconfig(t *testing.T) { }}, }, }, - &conciergev1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, - Spec: conciergev1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: issuerURL, Audience: "some-test-audience", - TLS: &conciergev1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: "invalid-base64", }, }, @@ -653,12 +653,12 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, - Spec: conciergev1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: issuerURL, Audience: "some-test-audience.pinniped.dev-invalid-substring", - TLS: &conciergev1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(issuerCABundle)), }, }, @@ -758,7 +758,7 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -1008,9 +1008,9 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, - Spec: conciergev1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: issuerURL, Audience: "test-audience", }, @@ -1047,9 +1047,9 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}, - Spec: conciergev1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: issuerURL, Audience: "test-audience", }, @@ -1397,7 +1397,7 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -1461,7 +1461,7 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { @@ -1615,7 +1615,7 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse, @@ -3145,7 +3145,7 @@ func TestGetKubeconfig(t *testing.T) { conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object { return []runtime.Object{ credentialIssuer(), - &conciergev1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, + &authenticationv1alpha1.WebhookAuthenticator{ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"}}, } }, wantLogs: func(issuerCABundle string, issuerURL string) []string { diff --git a/internal/controller/authenticator/authenticator.go b/internal/controller/authenticator/authenticator.go index 7623aecd9..59b1cc956 100644 --- a/internal/controller/authenticator/authenticator.go +++ b/internal/controller/authenticator/authenticator.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package authenticator contains helper code for dealing with *Authenticator CRDs. @@ -11,7 +11,7 @@ import ( "k8s.io/client-go/util/cert" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" ) // Closer is a type that can be closed idempotently. @@ -25,7 +25,7 @@ type Closer interface { // CABundle returns a PEM-encoded CA bundle from the provided spec. If the provided spec is nil, a // nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly // encoded, an error will be returned. -func CABundle(spec *auth1alpha1.TLSSpec) (*x509.CertPool, []byte, error) { +func CABundle(spec *authenticationv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) { if spec == nil || len(spec.CertificateAuthorityData) == 0 { return nil, nil, nil } diff --git a/internal/controller/authenticator/authncache/cache_test.go b/internal/controller/authenticator/authncache/cache_test.go index f9dfec1ee..9d22caa07 100644 --- a/internal/controller/authenticator/authncache/cache_test.go +++ b/internal/controller/authenticator/authncache/cache_test.go @@ -17,7 +17,7 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" - authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" loginapi "go.pinniped.dev/generated/latest/apis/concierge/login" "go.pinniped.dev/internal/mocks/mocktokenauthenticator" ) @@ -75,7 +75,7 @@ func TestAuthenticateTokenCredentialRequest(t *testing.T) { }, Spec: loginapi.TokenCredentialRequestSpec{ Authenticator: corev1.TypedLocalObjectReference{ - APIGroup: &authv1alpha.SchemeGroupVersion.Group, + APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group, Kind: "WebhookAuthenticator", Name: "test-name", }, diff --git a/internal/controller/authenticator/cachecleaner/cachecleaner.go b/internal/controller/authenticator/cachecleaner/cachecleaner.go index 9a789b279..772bd57c2 100644 --- a/internal/controller/authenticator/cachecleaner/cachecleaner.go +++ b/internal/controller/authenticator/cachecleaner/cachecleaner.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package cachecleaner implements a controller for garbage collecting authenticators from an authenticator cache. @@ -11,7 +11,7 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/klog/v2" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/authenticator" @@ -74,7 +74,7 @@ func (c *controller) Sync(_ controllerlib.Context) error { key := authncache.Key{ Name: webhook.Name, Kind: "WebhookAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group, } authenticatorSet[key] = true } @@ -82,14 +82,14 @@ func (c *controller) Sync(_ controllerlib.Context) error { key := authncache.Key{ Name: jwtAuthenticator.Name, Kind: "JWTAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group, } authenticatorSet[key] = true } // Delete any entries from the cache which are no longer in the cluster. for _, key := range c.cache.Keys() { - if key.APIGroup != auth1alpha1.SchemeGroupVersion.Group || (key.Kind != "WebhookAuthenticator" && key.Kind != "JWTAuthenticator") { + if key.APIGroup != authenticationv1alpha1.SchemeGroupVersion.Group || (key.Kind != "WebhookAuthenticator" && key.Kind != "JWTAuthenticator") { continue } if _, exists := authenticatorSet[key]; !exists { diff --git a/internal/controller/authenticator/cachecleaner/cachecleaner_test.go b/internal/controller/authenticator/cachecleaner/cachecleaner_test.go index 72636b8f7..c72068829 100644 --- a/internal/controller/authenticator/cachecleaner/cachecleaner_test.go +++ b/internal/controller/authenticator/cachecleaner/cachecleaner_test.go @@ -12,7 +12,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apiserver/pkg/authentication/authenticator" - authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions" controllerAuthenticator "go.pinniped.dev/internal/controller/authenticator" @@ -65,12 +65,12 @@ func TestController(t *testing.T) { cache.Store(testJWTAuthenticatorKey1, nil) }, objects: []runtime.Object{ - &authv1alpha.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testWebhookKey1.Name, }, }, - &authv1alpha.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testJWTAuthenticatorKey1.Name, }, @@ -81,22 +81,22 @@ func TestController(t *testing.T) { { name: "authenticators not yet added", objects: []runtime.Object{ - &authv1alpha.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testWebhookKey1.Name, }, }, - &authv1alpha.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testWebhookKey2.Name, }, }, - &authv1alpha.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testJWTAuthenticatorKey1.Name, }, }, - &authv1alpha.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testJWTAuthenticatorKey2.Name, }, @@ -114,12 +114,12 @@ func TestController(t *testing.T) { cache.Store(testKeyUnknownType, nil) }, objects: []runtime.Object{ - &authv1alpha.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testWebhookKey1.Name, }, }, - &authv1alpha.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: testJWTAuthenticatorKey1.Name, }, diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go index 1159aa1da..02b8289a9 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go @@ -29,7 +29,7 @@ import ( "k8s.io/utils/clock" "k8s.io/utils/ptr" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1" @@ -103,7 +103,7 @@ type tokenAuthenticatorCloser interface { type cachedJWTAuthenticator struct { authenticator.Token - spec *auth1alpha1.JWTAuthenticatorSpec + spec *authenticationv1alpha1.JWTAuthenticatorSpec cancel context.CancelFunc } @@ -161,7 +161,7 @@ func (c *jwtCacheFillerController) Sync(ctx controllerlib.Context) error { } cacheKey := authncache.Key{ - APIGroup: auth1alpha1.GroupName, + APIGroup: authenticationv1alpha1.GroupName, Kind: "JWTAuthenticator", Name: ctx.Key.Name, } @@ -245,7 +245,7 @@ func (c *jwtCacheFillerController) extractValueAsJWTAuthenticator(value authncac return jwtAuthenticator } -func (c *jwtCacheFillerController) validateTLS(tlsSpec *auth1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []*metav1.Condition, bool) { +func (c *jwtCacheFillerController) validateTLS(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []*metav1.Condition, bool) { rootCAs, _, err := pinnipedauthenticator.CABundle(tlsSpec) if err != nil { msg := fmt.Sprintf("%s: %s", "invalid TLS configuration", err.Error()) @@ -504,7 +504,7 @@ func (c *jwtCacheFillerController) validateJWKSFetch(ctx context.Context, jwksUR } // newCachedJWTAuthenticator creates a jwt authenticator from the provided spec. -func (c *jwtCacheFillerController) newCachedJWTAuthenticator(client *http.Client, spec *auth1alpha1.JWTAuthenticatorSpec, keySet *coreosoidc.RemoteKeySet, conditions []*metav1.Condition, prereqOk bool) (*cachedJWTAuthenticator, []*metav1.Condition, error) { +func (c *jwtCacheFillerController) newCachedJWTAuthenticator(client *http.Client, spec *authenticationv1alpha1.JWTAuthenticatorSpec, keySet *coreosoidc.RemoteKeySet, conditions []*metav1.Condition, prereqOk bool) (*cachedJWTAuthenticator, []*metav1.Condition, error) { if !prereqOk { conditions = append(conditions, &metav1.Condition{ Type: typeAuthenticatorValid, @@ -580,13 +580,13 @@ func (c *jwtCacheFillerController) newCachedJWTAuthenticator(client *http.Client func (c *jwtCacheFillerController) updateStatus( ctx context.Context, - original *auth1alpha1.JWTAuthenticator, + original *authenticationv1alpha1.JWTAuthenticator, conditions []*metav1.Condition, ) error { updated := original.DeepCopy() if conditionsutil.HadErrorCondition(conditions) { - updated.Status.Phase = auth1alpha1.JWTAuthenticatorPhaseError + updated.Status.Phase = authenticationv1alpha1.JWTAuthenticatorPhaseError conditions = append(conditions, &metav1.Condition{ Type: typeReady, Status: metav1.ConditionFalse, @@ -594,7 +594,7 @@ func (c *jwtCacheFillerController) updateStatus( Message: "the JWTAuthenticator is not ready: see other conditions for details", }) } else { - updated.Status.Phase = auth1alpha1.JWTAuthenticatorPhaseReady + updated.Status.Phase = authenticationv1alpha1.JWTAuthenticatorPhaseReady conditions = append(conditions, &metav1.Condition{ Type: typeReady, Status: metav1.ConditionTrue, diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go index ca09c410b..97ecfd46d 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go @@ -33,7 +33,7 @@ import ( coretesting "k8s.io/client-go/testing" clocktesting "k8s.io/utils/clock/testing" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions" "go.pinniped.dev/internal/controller/authenticator/authncache" @@ -216,72 +216,72 @@ func TestController(t *testing.T) { timeInThePast := time.Date(1111, time.January, 1, 1, 1, 1, 111111, time.Local) frozenTimeInThePast := metav1.NewTime(timeInThePast) - someJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + someJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer, Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), } - someJWTAuthenticatorSpecWithUsernameClaim := &auth1alpha1.JWTAuthenticatorSpec{ + someJWTAuthenticatorSpecWithUsernameClaim := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer, Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), - Claims: auth1alpha1.JWTTokenClaims{ + Claims: authenticationv1alpha1.JWTTokenClaims{ Username: "my-custom-username-claim", }, } - someJWTAuthenticatorSpecWithGroupsClaim := &auth1alpha1.JWTAuthenticatorSpec{ + someJWTAuthenticatorSpecWithGroupsClaim := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer, Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), - Claims: auth1alpha1.JWTTokenClaims{ + Claims: authenticationv1alpha1.JWTTokenClaims{ Groups: customGroupsClaim, }, } - otherJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + otherJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: someOtherIssuer, Audience: goodAudience, // Some random generated cert // Issuer: C=US, O=Pivotal // No SAN provided - TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"}, + TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"}, } - missingTLSJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + missingTLSJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer, Audience: goodAudience, } - invalidTLSJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + invalidTLSJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: someOtherIssuer, Audience: goodAudience, - TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"}, + TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"}, } - invalidIssuerJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + invalidIssuerJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://.café .com/café/café/café/coffee", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), } - invalidIssuerSchemeJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + invalidIssuerSchemeJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "http://.café.com/café/café/café/coffee", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), } - validIssuerURLButDoesNotExistJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + validIssuerURLButDoesNotExistJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer + "/foo/bar/baz/shizzle", Audience: goodAudience, } - badIssuerJWKSURIJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + badIssuerJWKSURIJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: badIssuerInvalidJWKSURI, Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(badOIDCIssuerServerInvalidJWKSURI.TLS), } - badIssuerJWKSURISchemeJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + badIssuerJWKSURISchemeJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: badIssuerInvalidJWKSURIScheme, Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(badOIDCIssuerServerInvalidJWKSURIScheme.TLS), } - jwksFetchShouldFailJWTAuthenticatorSpec := &auth1alpha1.JWTAuthenticatorSpec{ + jwksFetchShouldFailJWTAuthenticatorSpec := &authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: jwksFetchShouldFailServer.URL, Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(jwksFetchShouldFailServer.TLS), @@ -617,12 +617,12 @@ func TestController(t *testing.T) { name: "Sync: valid and unchanged JWTAuthenticator: loop will preserve existing status conditions", syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -649,13 +649,13 @@ func TestController(t *testing.T) { name: "Sync: changed JWTAuthenticator: loop will update timestamps only on relevant statuses", syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", Generation: 1234, }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 1233), []metav1.Condition{ @@ -684,13 +684,13 @@ func TestController(t *testing.T) { }, }}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", Generation: 1234, }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 1234), []metav1.Condition{ @@ -714,7 +714,7 @@ func TestController(t *testing.T) { name: "Sync: valid JWTAuthenticator with CA: loop will complete successfully and update status conditions.", syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -732,12 +732,12 @@ func TestController(t *testing.T) { }, }}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -756,7 +756,7 @@ func TestController(t *testing.T) { name: "Sync: JWTAuthenticator with custom username claim: loop will complete successfully and update status conditions.", syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -774,12 +774,12 @@ func TestController(t *testing.T) { }, }}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpecWithUsernameClaim, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -799,7 +799,7 @@ func TestController(t *testing.T) { name: "Sync: JWTAuthenticator with custom groups claim: loop will complete successfully and update status conditions.", syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -817,12 +817,12 @@ func TestController(t *testing.T) { }, }}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpecWithGroupsClaim, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -845,7 +845,7 @@ func TestController(t *testing.T) { authncache.Key{ Name: "test-name", Kind: "JWTAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group, }, newCacheValue(t, *otherJWTAuthenticatorSpec, wantClose), ) @@ -853,7 +853,7 @@ func TestController(t *testing.T) { wantClose: true, syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -871,12 +871,12 @@ func TestController(t *testing.T) { }, }}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -898,7 +898,7 @@ func TestController(t *testing.T) { authncache.Key{ Name: "test-name", Kind: "JWTAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group, }, newCacheValue(t, *someJWTAuthenticatorSpec, wantClose), ) @@ -906,7 +906,7 @@ func TestController(t *testing.T) { wantClose: false, syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -939,14 +939,14 @@ func TestController(t *testing.T) { authncache.Key{ Name: "test-name", Kind: "JWTAuthenticator", - APIGroup: auth1alpha1.SchemeGroupVersion.Group, + APIGroup: authenticationv1alpha1.SchemeGroupVersion.Group, }, struct{ authenticator.Token }{}, ) }, syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -970,12 +970,12 @@ func TestController(t *testing.T) { }, }}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -994,7 +994,7 @@ func TestController(t *testing.T) { name: "Sync: valid JWTAuthenticator without CA: loop will fail to cache the authenticator, will write failed and unknown status conditions, and will enqueue resync", syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1002,12 +1002,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *missingTLSJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1038,7 +1038,7 @@ func TestController(t *testing.T) { name: "validateTLS: JWTAuthenticator with invalid CA: loop will fail, will write failed and unknown status conditions, but will not enqueue a resync due to user config error", syncKey: controllerlib.Key{Name: "test-name"}, jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1046,12 +1046,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *invalidTLSJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(someOtherIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1077,7 +1077,7 @@ func TestController(t *testing.T) { }, { name: "validateIssuer: parsing error (spec.issuer URL is invalid): loop will fail sync, will write failed and unknown status conditions, but will not enqueue a resync due to user config error", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1086,12 +1086,12 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *invalidIssuerJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1116,7 +1116,7 @@ func TestController(t *testing.T) { }, { name: "validateIssuer: parsing error (spec.issuer URL has invalid scheme, requires https): loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1125,12 +1125,12 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *invalidIssuerSchemeJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1155,11 +1155,11 @@ func TestController(t *testing.T) { }, { name: "validateIssuer: issuer cannot include fragment: loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/#do-not-include-fragment", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), @@ -1168,16 +1168,16 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/#do-not-include-fragment", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1202,11 +1202,11 @@ func TestController(t *testing.T) { }, { name: "validateIssuer: issuer cannot include query params: loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/?query-params=not-allowed", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), @@ -1215,16 +1215,16 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/?query-params=not-allowed", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1249,11 +1249,11 @@ func TestController(t *testing.T) { }, { name: "validateIssuer: issuer cannot include .well-known in path: loop will fail sync, will write failed and unknown conditions, but will not enqueue a resync due to user config error", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/.well-known/openid-configuration", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), @@ -1262,16 +1262,16 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://www.example.com/foo/bar/.well-known/openid-configuration", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1296,7 +1296,7 @@ func TestController(t *testing.T) { }, { name: "validateProviderDiscovery: could not perform oidc discovery on provider issuer: loop will fail sync, will write failed and unknown conditions, and will enqueue new sync", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1305,12 +1305,12 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *validIssuerURLButDoesNotExistJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1337,11 +1337,11 @@ func TestController(t *testing.T) { }, { name: "validateProviderDiscovery: excessively long errors truncated: loop will fail sync, will write failed and unknown conditions, and will enqueue new sync", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer + "/path/to/not/found", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), @@ -1350,16 +1350,16 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: goodIssuer + "/path/to/not/found", Audience: goodAudience, TLS: conciergetestutil.TLSSpecFromTLSConfig(goodOIDCIssuerServer.TLS), }, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1392,7 +1392,7 @@ func TestController(t *testing.T) { { name: "validateProviderJWKSURL: could not parse provider jwks_uri: loop will fail sync, will write failed and unknown conditions, and will enqueue new sync", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1401,12 +1401,12 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *badIssuerJWKSURIJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1431,7 +1431,7 @@ func TestController(t *testing.T) { }, { name: "validateProviderJWKSURL: invalid scheme, requires 'https': loop will fail sync, will write failed and unknown conditions, and will enqueue new sync", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1440,12 +1440,12 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *badIssuerJWKSURISchemeJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1473,7 +1473,7 @@ func TestController(t *testing.T) { { name: "validateJWKSFetch: could not fetch keys: loop will fail sync, will write failed and unknown status conditions, and will enqueue a resync", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -1482,12 +1482,12 @@ func TestController(t *testing.T) { }, syncKey: controllerlib.Key{Name: "test-name"}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *jwksFetchShouldFailJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1512,12 +1512,12 @@ func TestController(t *testing.T) { { name: "updateStatus: called with matching original and updated conditions: will not make request to update conditions", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -1545,12 +1545,12 @@ func TestController(t *testing.T) { { name: "updateStatus: called with different original and updated conditions: will make request to update conditions", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1573,12 +1573,12 @@ func TestController(t *testing.T) { }, }}, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -1595,12 +1595,12 @@ func TestController(t *testing.T) { { name: "updateStatus: when update request fails: error will enqueue a resync", jwtAuthenticators: []runtime.Object{ - &auth1alpha1.JWTAuthenticator{ + &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), []metav1.Condition{ @@ -1625,12 +1625,12 @@ func TestController(t *testing.T) { // This captures that there was an attempt to update to Ready, allHappyConditions, // but the wantSyncLoopErr indicates that there is a failure, so the JWTAuthenticator // remains with a bad phase and at least 1 sad condition - updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &auth1alpha1.JWTAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(jwtAuthenticatorsGVR, "", &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: *someJWTAuthenticatorSpec, - Status: auth1alpha1.JWTAuthenticatorStatus{ + Status: authenticationv1alpha1.JWTAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodIssuer, frozenMetav1Now, 0), Phase: "Ready", }, @@ -1742,7 +1742,7 @@ func TestController(t *testing.T) { // We expected the cache to have an entry, so pull that entry from the cache and test it. expectedCacheKey := authncache.Key{ - APIGroup: auth1alpha1.GroupName, + APIGroup: authenticationv1alpha1.GroupName, Kind: "JWTAuthenticator", Name: syncCtx.Key.Name, } @@ -2083,7 +2083,7 @@ func createJWT( return jwt } -func newCacheValue(t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec, wantClose bool) authncache.Value { +func newCacheValue(t *testing.T, spec authenticationv1alpha1.JWTAuthenticatorSpec, wantClose bool) authncache.Value { t.Helper() wasClosed := false diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go index 284fd6389..58f256c33 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go @@ -24,7 +24,7 @@ import ( "k8s.io/klog/v2" "k8s.io/utils/clock" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" @@ -126,7 +126,7 @@ func (c *webhookCacheFillerController) Sync(ctx controllerlib.Context) error { if !conditionsutil.HadErrorCondition(conditions) { c.cache.Store(authncache.Key{ - APIGroup: auth1alpha1.GroupName, + APIGroup: authenticationv1alpha1.GroupName, Kind: "WebhookAuthenticator", Name: ctx.Key.Name, }, webhookAuthenticator) @@ -264,7 +264,7 @@ func (c *webhookCacheFillerController) validateConnection(certPool *x509.CertPoo return conditions, nil } -func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *auth1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) { +func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) { rootCAs, pemBytes, err := pinnipedauthenticator.CABundle(tlsSpec) if err != nil { msg := fmt.Sprintf("%s: %s", "invalid TLS configuration", err.Error()) @@ -337,13 +337,13 @@ func (c *webhookCacheFillerController) validateEndpoint(endpoint string, conditi func (c *webhookCacheFillerController) updateStatus( ctx context.Context, - original *auth1alpha1.WebhookAuthenticator, + original *authenticationv1alpha1.WebhookAuthenticator, conditions []*metav1.Condition, ) error { updated := original.DeepCopy() if conditionsutil.HadErrorCondition(conditions) { - updated.Status.Phase = auth1alpha1.WebhookAuthenticatorPhaseError + updated.Status.Phase = authenticationv1alpha1.WebhookAuthenticatorPhaseError conditions = append(conditions, &metav1.Condition{ Type: typeReady, Status: metav1.ConditionFalse, @@ -351,7 +351,7 @@ func (c *webhookCacheFillerController) updateStatus( Message: "the WebhookAuthenticator is not ready: see other conditions for details", }) } else { - updated.Status.Phase = auth1alpha1.WebhookAuthenticatorPhaseReady + updated.Status.Phase = authenticationv1alpha1.WebhookAuthenticatorPhaseReady conditions = append(conditions, &metav1.Condition{ Type: typeReady, Status: metav1.ConditionTrue, diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go index 2c8564670..8711343e5 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go @@ -28,7 +28,7 @@ import ( clocktesting "k8s.io/utils/clock/testing" "k8s.io/utils/ptr" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake" pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions" "go.pinniped.dev/internal/certauthority" @@ -139,34 +139,34 @@ func TestController(t *testing.T) { timeInThePast := time.Date(1111, time.January, 1, 1, 1, 1, 111111, time.Local) frozenTimeInThePast := metav1.NewTime(timeInThePast) - goodWebhookAuthenticatorSpecWithCA := auth1alpha1.WebhookAuthenticatorSpec{ + goodWebhookAuthenticatorSpecWithCA := authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: goodWebhookDefaultServingCertEndpoint, TLS: conciergetestutil.TLSSpecFromTLSConfig(hostGoodDefaultServingCertServer.TLS), } - localWithExampleDotComWeebhookAuthenticatorSpec := auth1alpha1.WebhookAuthenticatorSpec{ + localWithExampleDotComWeebhookAuthenticatorSpec := authenticationv1alpha1.WebhookAuthenticatorSpec{ // CA for example.com, TLS serving cert for example.com, but endpoint is still localhost Endpoint: hostLocalWithExampleDotComCertServer.URL, - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ // CA Bundle for example.com CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForExampleDotCom.Bundle()), }, } - goodWebhookAuthenticatorSpecWithoutCA := auth1alpha1.WebhookAuthenticatorSpec{ + goodWebhookAuthenticatorSpecWithoutCA := authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: goodWebhookDefaultServingCertEndpoint, - TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: ""}, + TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: ""}, } - goodWebhookAuthenticatorSpecWith404Endpoint := auth1alpha1.WebhookAuthenticatorSpec{ + goodWebhookAuthenticatorSpecWith404Endpoint := authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: goodWebhookDefaultServingCertEndpointBut404, TLS: conciergetestutil.TLSSpecFromTLSConfig(hostGoodDefaultServingCertServer.TLS), } - badWebhookAuthenticatorSpecInvalidTLS := auth1alpha1.WebhookAuthenticatorSpec{ + badWebhookAuthenticatorSpecInvalidTLS := authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: goodWebhookDefaultServingCertEndpoint, - TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"}, + TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: "invalid base64-encoded data"}, } - badWebhookAuthenticatorSpecGoodEndpointButUnknownCA := auth1alpha1.WebhookAuthenticatorSpec{ + badWebhookAuthenticatorSpecGoodEndpointButUnknownCA := authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: goodWebhookDefaultServingCertEndpoint, - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(pemServerCertForUnknownServer), }, } @@ -392,12 +392,12 @@ func TestController(t *testing.T) { name: "Sync: valid and unchanged WebhookAuthenticator: loop will preserve existing status conditions", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), Phase: "Ready", }, @@ -427,13 +427,13 @@ func TestController(t *testing.T) { name: "Sync: changed WebhookAuthenticator: loop will update timestamps only on relevant statuses", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", Generation: 1234, }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 1233), []metav1.Condition{ @@ -458,13 +458,13 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", Generation: 1234, }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 1234), []metav1.Condition{ @@ -487,7 +487,7 @@ func TestController(t *testing.T) { name: "Sync: valid WebhookAuthenticator with CA: will complete sync loop successfully with success conditions and ready phase", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -507,12 +507,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), Phase: "Ready", }, @@ -530,14 +530,14 @@ func TestController(t *testing.T) { name: "Sync: valid WebhookAuthenticator with IPV6 and CA: will complete sync loop successfully with success conditions and ready phase", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: func() auth1alpha1.WebhookAuthenticatorSpec { + Spec: func() authenticationv1alpha1.WebhookAuthenticatorSpec { ipv6 := goodWebhookAuthenticatorSpecWithCA.DeepCopy() ipv6.Endpoint = hostLocalIPv6Server.URL - ipv6.TLS = ptr.To(auth1alpha1.TLSSpec{ + ipv6.TLS = ptr.To(authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(ipv6CA), }) return *ipv6 @@ -557,19 +557,19 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: func() auth1alpha1.WebhookAuthenticatorSpec { + Spec: func() authenticationv1alpha1.WebhookAuthenticatorSpec { ipv6 := goodWebhookAuthenticatorSpecWithCA.DeepCopy() ipv6.Endpoint = hostLocalIPv6Server.URL - ipv6.TLS = ptr.To(auth1alpha1.TLSSpec{ + ipv6.TLS = ptr.To(authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(ipv6CA), }) return *ipv6 }(), - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(hostLocalIPv6Server.URL, frozenMetav1Now, 0), Phase: "Ready", }, @@ -587,7 +587,7 @@ func TestController(t *testing.T) { name: "Sync: valid WebhookAuthenticator without CA: loop will fail to cache the authenticator, will write failed and unknown status conditions, and will enqueue resync", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -595,12 +595,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithoutCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ @@ -627,7 +627,7 @@ func TestController(t *testing.T) { name: "validateTLS: WebhookAuthenticator with invalid CA will fail sync loop and will report failed and unknown conditions and Error phase, but will not enqueue a resync due to user config error", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -635,12 +635,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: badWebhookAuthenticatorSpecInvalidTLS, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ @@ -666,24 +666,24 @@ func TestController(t *testing.T) { name: "validateEndpoint: parsing error (spec.endpoint URL is invalid) will fail sync loop and will report failed and unknown conditions and Error phase, but will not enqueue a resync due to user config error", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: badEndpointInvalidURL, }, }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: badEndpointInvalidURL, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ @@ -710,24 +710,24 @@ func TestController(t *testing.T) { name: "validateEndpoint: parsing error (spec.endpoint URL has invalid scheme, requires https) will fail sync loop, will write failed and unknown status conditions, but will not enqueue a resync due to user config error", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: badEndpointNoHTTPS, }, }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: badEndpointNoHTTPS, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ @@ -754,30 +754,30 @@ func TestController(t *testing.T) { name: "validateEndpoint: should error if endpoint cannot be parsed", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://[0:0:0:0:0:0:0:1]:69999/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://[0:0:0:0:0:0:0:1]:69999/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess("https://[0:0:0:0:0:0:0:1]:69999/some/fake/path", frozenMetav1Now, 0), []metav1.Condition{ @@ -803,7 +803,7 @@ func TestController(t *testing.T) { name: "validateConnection: CA does not validate serving certificate for host, the dialer will error, will fail sync loop, will write failed and unknown status conditions, but will not enqueue a resync due to user config error", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -812,12 +812,12 @@ func TestController(t *testing.T) { }, wantSyncLoopErr: testutil.WantExactErrorString("cannot dial server: tls: failed to verify certificate: x509: certificate signed by unknown authority"), wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: badWebhookAuthenticatorSpecGoodEndpointButUnknownCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ @@ -845,7 +845,7 @@ func TestController(t *testing.T) { name: "validateConnection: 404 endpoint on a valid server will still validate server certificate, will complete sync loop successfully with success conditions and ready phase", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, @@ -865,12 +865,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWith404Endpoint, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpointBut404, frozenMetav1Now, 0), Phase: "Ready", }, @@ -888,18 +888,18 @@ func TestController(t *testing.T) { name: "validateConnection: localhost hostname instead of 127.0.0.1 should still dial correctly as dialer should handle hostnames as well as IPv4", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: fmt.Sprintf("https://localhost:%s", localhostURL.Port()), - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ // CA Bundle for validating the server's certs CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAsHostname.Bundle()), }, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(fmt.Sprintf("https://localhost:%s", localhostURL.Port()), frozenMetav1Now, 0), Phase: "Ready", }, @@ -929,30 +929,30 @@ func TestController(t *testing.T) { name: "validateConnection: IPv6 address with port: should call dialer func with correct arguments", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://[0:0:0:0:0:0:0:1]:4242/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://[0:0:0:0:0:0:0:1]:4242/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess("https://[0:0:0:0:0:0:0:1]:4242/some/fake/path", frozenMetav1Now, 0), []metav1.Condition{ @@ -978,30 +978,30 @@ func TestController(t *testing.T) { name: "validateConnection: IPv6 address without port: should call dialer func with correct arguments", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://[0:0:0:0:0:0:0:1]/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://[0:0:0:0:0:0:0:1]/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess("https://[0:0:0:0:0:0:0:1]/some/fake/path", frozenMetav1Now, 0), []metav1.Condition{ @@ -1027,17 +1027,17 @@ func TestController(t *testing.T) { name: "validateConnection: localhost as IP address 127.0.0.1 should still dial correctly as dialer should handle hostnames as well as IPv4 and IPv6 addresses", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: hostAs127001WebhookServer.URL, - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(hostAs127001WebhookServer.URL, frozenMetav1Now, 0), Phase: "Ready", }, @@ -1067,24 +1067,24 @@ func TestController(t *testing.T) { name: "validateConnection: CA for example.com, serving cert for example.com, but endpoint 127.0.0.1 will fail to validate certificate and will fail sync loop and will report failed and unknown conditions and Error phase, but will not enqueue a resync due to user config error", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: localWithExampleDotComWeebhookAuthenticatorSpec, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(hostLocalWithExampleDotComCertServer.URL, frozenMetav1Now, 0), Phase: "Ready", }, }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: localWithExampleDotComWeebhookAuthenticatorSpec, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(hostLocalWithExampleDotComCertServer.URL, frozenMetav1Now, 0), []metav1.Condition{ @@ -1110,30 +1110,30 @@ func TestController(t *testing.T) { name: "validateConnection: IPv6 address without port or brackets: should succeed since IPv6 brackets are optional without port", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://0:0:0:0:0:0:0:1/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, - Spec: auth1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://0:0:0:0:0:0:0:1/some/fake/path", - TLS: &auth1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(caForLocalhostAs127001.Bundle()), }, }, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess("https://0:0:0:0:0:0:0:1/some/fake/path", frozenMetav1Now, 0), []metav1.Condition{ @@ -1159,12 +1159,12 @@ func TestController(t *testing.T) { name: "updateStatus: called with matching original and updated conditions: will not make request to update conditions", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), Phase: "Ready", }, @@ -1194,12 +1194,12 @@ func TestController(t *testing.T) { name: "updateStatus: called with different original and updated conditions: will make request to update conditions", syncKey: controllerlib.Key{Name: "test-name"}, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ @@ -1223,12 +1223,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), Phase: "Ready", }, @@ -1255,12 +1255,12 @@ func TestController(t *testing.T) { ) }, webhooks: []runtime.Object{ - &auth1alpha1.WebhookAuthenticator{ + &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ @@ -1284,12 +1284,12 @@ func TestController(t *testing.T) { }, }, wantActions: func() []coretesting.Action { - updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &auth1alpha1.WebhookAuthenticator{ + updateStatusAction := coretesting.NewUpdateAction(webhookAuthenticatorGVR, "", &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: metav1.ObjectMeta{ Name: "test-name", }, Spec: goodWebhookAuthenticatorSpecWithCA, - Status: auth1alpha1.WebhookAuthenticatorStatus{ + Status: authenticationv1alpha1.WebhookAuthenticatorStatus{ Conditions: allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), Phase: "Ready", }, diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go index 2a127d450..df86e06ac 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package activedirectoryupstreamwatcher implements a controller which watches ActiveDirectoryIdentityProviders. @@ -20,7 +20,7 @@ import ( corev1informers "k8s.io/client-go/informers/core/v1" "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" - supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/conditionsutil" @@ -232,7 +232,7 @@ type activeDirectoryWatcherController struct { cache UpstreamActiveDirectoryIdentityProviderICache validatedSettingsCache upstreamwatchers.ValidatedSettingsCacheI ldapDialer upstreamldap.LDAPDialer - client supervisorclientset.Interface + client pinnipedsupervisorclientset.Interface activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer secretInformer corev1informers.SecretInformer } @@ -240,7 +240,7 @@ type activeDirectoryWatcherController struct { // New instantiates a new controllerlib.Controller which will populate the provided UpstreamActiveDirectoryIdentityProviderICache. func New( idpCache UpstreamActiveDirectoryIdentityProviderICache, - client supervisorclientset.Interface, + client pinnipedsupervisorclientset.Interface, activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer, secretInformer corev1informers.SecretInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, @@ -263,7 +263,7 @@ func newInternal( idpCache UpstreamActiveDirectoryIdentityProviderICache, validatedSettingsCache upstreamwatchers.ValidatedSettingsCacheI, ldapDialer upstreamldap.LDAPDialer, - client supervisorclientset.Interface, + client pinnipedsupervisorclientset.Interface, activeDirectoryIdentityProviderInformer idpinformers.ActiveDirectoryIdentityProviderInformer, secretInformer corev1informers.SecretInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, diff --git a/internal/controller/supervisorconfig/federation_domain_watcher.go b/internal/controller/supervisorconfig/federation_domain_watcher.go index 643309bf4..9b41135bf 100644 --- a/internal/controller/supervisorconfig/federation_domain_watcher.go +++ b/internal/controller/supervisorconfig/federation_domain_watcher.go @@ -22,7 +22,7 @@ import ( "k8s.io/utils/clock" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" idpinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/idp/v1alpha1" "go.pinniped.dev/internal/celtransformer" @@ -82,7 +82,7 @@ type federationDomainWatcherController struct { federationDomainsSetter FederationDomainsSetter apiGroup string clock clock.Clock - client supervisorclientset.Interface + client pinnipedsupervisorclientset.Interface federationDomainInformer configinformers.FederationDomainInformer oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer @@ -99,7 +99,7 @@ func NewFederationDomainWatcherController( federationDomainsSetter FederationDomainsSetter, apiGroupSuffix string, clock clock.Clock, - client supervisorclientset.Interface, + client pinnipedsupervisorclientset.Interface, federationDomainInformer configinformers.FederationDomainInformer, oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer, ldapIdentityProviderInformer idpinformers.LDAPIdentityProviderInformer, diff --git a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go index 4b511ca6c..a8c9c6373 100644 --- a/internal/controller/supervisorconfig/generator/federation_domain_secrets.go +++ b/internal/controller/supervisorconfig/generator/federation_domain_secrets.go @@ -17,7 +17,7 @@ import ( "k8s.io/klog/v2" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controllerlib" @@ -28,7 +28,7 @@ type federationDomainSecretsController struct { secretHelper SecretHelper secretRefFunc func(domain *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference kubeClient kubernetes.Interface - pinnipedClient supervisorclientset.Interface + pinnipedClient pinnipedsupervisorclientset.Interface federationDomainInformer configinformers.FederationDomainInformer secretInformer corev1informers.SecretInformer } @@ -40,7 +40,7 @@ func NewFederationDomainSecretsController( secretHelper SecretHelper, secretRefFunc func(domain *configv1alpha1.FederationDomainStatus) *corev1.LocalObjectReference, kubeClient kubernetes.Interface, - pinnipedClient supervisorclientset.Interface, + pinnipedClient pinnipedsupervisorclientset.Interface, secretInformer corev1informers.SecretInformer, federationDomainInformer configinformers.FederationDomainInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, diff --git a/internal/controller/supervisorconfig/jwks_writer.go b/internal/controller/supervisorconfig/jwks_writer.go index a5918972d..df4666ba7 100644 --- a/internal/controller/supervisorconfig/jwks_writer.go +++ b/internal/controller/supervisorconfig/jwks_writer.go @@ -23,7 +23,7 @@ import ( "k8s.io/klog/v2" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" configinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions/config/v1alpha1" pinnipedcontroller "go.pinniped.dev/internal/controller" "go.pinniped.dev/internal/controller/supervisorconfig/generator" @@ -60,7 +60,7 @@ func generateECKey(r io.Reader) (interface{}, error) { // secrets, both via a cache and via the API. type jwksWriterController struct { jwksSecretLabels map[string]string - pinnipedClient supervisorclientset.Interface + pinnipedClient pinnipedsupervisorclientset.Interface kubeClient kubernetes.Interface federationDomainInformer configinformers.FederationDomainInformer secretInformer corev1informers.SecretInformer @@ -71,7 +71,7 @@ type jwksWriterController struct { func NewJWKSWriterController( jwksSecretLabels map[string]string, kubeClient kubernetes.Interface, - pinnipedClient supervisorclientset.Interface, + pinnipedClient pinnipedsupervisorclientset.Interface, secretInformer corev1informers.SecretInformer, federationDomainInformer configinformers.FederationDomainInformer, withInformer pinnipedcontroller.WithInformerOptionFunc, diff --git a/internal/federationdomain/clientregistry/clientregistry_test.go b/internal/federationdomain/clientregistry/clientregistry_test.go index 1d8f20612..3484c6988 100644 --- a/internal/federationdomain/clientregistry/clientregistry_test.go +++ b/internal/federationdomain/clientregistry/clientregistry_test.go @@ -10,7 +10,7 @@ import ( "testing" "time" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/ory/fosite" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" @@ -294,7 +294,7 @@ func requireEqualsPinnipedCLI(t *testing.T, c *Client) { require.Equal(t, []string{"http://127.0.0.1/callback"}, c.GetRedirectURIs()) require.Equal(t, fosite.Arguments{"authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange"}, c.GetGrantTypes()) require.Equal(t, fosite.Arguments{"code"}, c.GetResponseTypes()) - require.Equal(t, fosite.Arguments{oidc.ScopeOpenID, oidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience", "username", "groups"}, c.GetScopes()) + require.Equal(t, fosite.Arguments{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, "profile", "email", "pinniped:request-audience", "username", "groups"}, c.GetScopes()) require.True(t, c.IsPublic()) require.Nil(t, c.GetAudience()) require.Nil(t, c.GetRequestURIs()) diff --git a/internal/federationdomain/endpoints/tokenexchange/token_exchange.go b/internal/federationdomain/endpoints/tokenexchange/token_exchange.go index 61a67e367..b3032be19 100644 --- a/internal/federationdomain/endpoints/tokenexchange/token_exchange.go +++ b/internal/federationdomain/endpoints/tokenexchange/token_exchange.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package tokenexchange @@ -9,7 +9,7 @@ import ( "strings" "github.com/ory/fosite" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" "github.com/pkg/errors" @@ -30,16 +30,16 @@ type stsParams struct { func HandlerFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} { return &tokenExchangeHandler{ idTokenStrategy: strategy.(openid.OpenIDConnectTokenStrategy), - accessTokenStrategy: strategy.(oauth2.AccessTokenStrategy), - accessTokenStorage: storage.(oauth2.AccessTokenStorage), + accessTokenStrategy: strategy.(fositeoauth2.AccessTokenStrategy), + accessTokenStorage: storage.(fositeoauth2.AccessTokenStorage), fositeConfig: config, } } type tokenExchangeHandler struct { idTokenStrategy openid.OpenIDConnectTokenStrategy - accessTokenStrategy oauth2.AccessTokenStrategy - accessTokenStorage oauth2.AccessTokenStorage + accessTokenStrategy fositeoauth2.AccessTokenStrategy + accessTokenStorage fositeoauth2.AccessTokenStorage fositeConfig fosite.Configurator } diff --git a/internal/federationdomain/storage/kube_storage.go b/internal/federationdomain/storage/kube_storage.go index 3ffe1b0df..c75053ccb 100644 --- a/internal/federationdomain/storage/kube_storage.go +++ b/internal/federationdomain/storage/kube_storage.go @@ -8,7 +8,7 @@ import ( "time" "github.com/ory/fosite" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" fositepkce "github.com/ory/fosite/handler/pkce" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -27,7 +27,7 @@ import ( type KubeStorage struct { clientManager fosite.ClientManager - authorizationCodeStorage oauth2.AuthorizeCodeStorage + authorizationCodeStorage fositeoauth2.AuthorizeCodeStorage pkceStorage fositepkce.PKCERequestStorage oidcStorage openid.OpenIDConnectRequestStorage accessTokenStorage accesstoken.RevocationStorage diff --git a/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go index 200dd41c9..ee432d439 100644 --- a/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go +++ b/internal/federationdomain/strategy/dynamic_oauth2_hmac_strategy.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package strategy @@ -9,7 +9,7 @@ import ( "github.com/ory/fosite" "github.com/ory/fosite/compose" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" errorsx "github.com/pkg/errors" "go.pinniped.dev/internal/federationdomain/storage" @@ -44,7 +44,7 @@ type DynamicOauth2HMACStrategy struct { keyFunc func() []byte } -var _ oauth2.CoreStrategy = &DynamicOauth2HMACStrategy{} +var _ fositeoauth2.CoreStrategy = &DynamicOauth2HMACStrategy{} func NewDynamicOauth2HMACStrategy( fositeConfig *fosite.Config, @@ -156,6 +156,6 @@ func (s *DynamicOauth2HMACStrategy) ValidateAuthorizeCode( return s.delegate().ValidateAuthorizeCode(ctx, requester, replacePrefix(token, pinAuthcodePrefix, oryAuthcodePrefix)) } -func (s *DynamicOauth2HMACStrategy) delegate() *oauth2.HMACSHAStrategy { +func (s *DynamicOauth2HMACStrategy) delegate() *fositeoauth2.HMACSHAStrategy { return compose.NewOAuth2HMACStrategy(storage.NewDynamicGlobalSecretConfig(s.fositeConfig, s.keyFunc)) } diff --git a/internal/fositestorage/accesstoken/accesstoken.go b/internal/fositestorage/accesstoken/accesstoken.go index b95e47c09..eda7ce925 100644 --- a/internal/fositestorage/accesstoken/accesstoken.go +++ b/internal/fositestorage/accesstoken/accesstoken.go @@ -9,7 +9,7 @@ import ( "time" "github.com/ory/fosite" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -39,7 +39,7 @@ const ( ) type RevocationStorage interface { - oauth2.AccessTokenStorage + fositeoauth2.AccessTokenStorage RevokeAccessToken(ctx context.Context, requestID string) error } diff --git a/internal/fositestorage/authorizationcode/authorizationcode.go b/internal/fositestorage/authorizationcode/authorizationcode.go index 5b19a217e..189a9ce35 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode.go +++ b/internal/fositestorage/authorizationcode/authorizationcode.go @@ -10,7 +10,7 @@ import ( "time" "github.com/ory/fosite" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -39,7 +39,7 @@ const ( authorizeCodeStorageVersion = "7" ) -var _ oauth2.AuthorizeCodeStorage = &authorizeCodeStorage{} +var _ fositeoauth2.AuthorizeCodeStorage = &authorizeCodeStorage{} type authorizeCodeStorage struct { storage crud.Storage @@ -52,7 +52,7 @@ type Session struct { Version string `json:"version"` } -func New(secrets corev1client.SecretInterface, clock func() time.Time, sessionStorageLifetime timeouts.StorageLifetime) oauth2.AuthorizeCodeStorage { +func New(secrets corev1client.SecretInterface, clock func() time.Time, sessionStorageLifetime timeouts.StorageLifetime) fositeoauth2.AuthorizeCodeStorage { return &authorizeCodeStorage{storage: crud.New(TypeLabelValue, secrets, clock), lifetime: sessionStorageLifetime} } diff --git a/internal/fositestorage/authorizationcode/authorizationcode_test.go b/internal/fositestorage/authorizationcode/authorizationcode_test.go index f39e5580a..feba59615 100644 --- a/internal/fositestorage/authorizationcode/authorizationcode_test.go +++ b/internal/fositestorage/authorizationcode/authorizationcode_test.go @@ -18,7 +18,7 @@ import ( "github.com/go-jose/go-jose/v3" fuzz "github.com/google/gofuzz" "github.com/ory/fosite" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" "github.com/ory/fosite/token/jwt" "github.com/pkg/errors" @@ -276,7 +276,7 @@ func TestCreateWithWrongRequesterDataTypes(t *testing.T) { require.EqualError(t, err, "requester's client must be of type clientregistry.Client") } -func makeTestSubject(lifetimeFunc timeouts.StorageLifetime) (context.Context, *fake.Clientset, corev1client.SecretInterface, oauth2.AuthorizeCodeStorage) { +func makeTestSubject(lifetimeFunc timeouts.StorageLifetime) (context.Context, *fake.Clientset, corev1client.SecretInterface, fositeoauth2.AuthorizeCodeStorage) { client := fake.NewSimpleClientset() secrets := client.CoreV1().Secrets(namespace) return context.Background(), diff --git a/internal/fositestorage/refreshtoken/refreshtoken.go b/internal/fositestorage/refreshtoken/refreshtoken.go index 13389afc0..0e74d7167 100644 --- a/internal/fositestorage/refreshtoken/refreshtoken.go +++ b/internal/fositestorage/refreshtoken/refreshtoken.go @@ -9,7 +9,7 @@ import ( "time" "github.com/ory/fosite" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" @@ -39,7 +39,7 @@ const ( ) type RevocationStorage interface { - oauth2.RefreshTokenStorage + fositeoauth2.RefreshTokenStorage RevokeRefreshToken(ctx context.Context, requestID string) error RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error } diff --git a/internal/fositestoragei/fosite_storage_interface.go b/internal/fositestoragei/fosite_storage_interface.go index 408dfb28c..39ee4589d 100644 --- a/internal/fositestoragei/fosite_storage_interface.go +++ b/internal/fositestoragei/fosite_storage_interface.go @@ -1,11 +1,11 @@ -// Copyright 2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package fositestoragei import ( "github.com/ory/fosite" - "github.com/ory/fosite/handler/oauth2" + fositeoauth2 "github.com/ory/fosite/handler/oauth2" "github.com/ory/fosite/handler/openid" "github.com/ory/fosite/handler/pkce" ) @@ -14,8 +14,8 @@ import ( // Not having this interface makes it a pain to avoid cyclical test dependencies, so we'll define it. type AllFositeStorage interface { fosite.ClientManager - oauth2.CoreStorage - oauth2.TokenRevocationStorage + fositeoauth2.CoreStorage + fositeoauth2.TokenRevocationStorage openid.OpenIDConnectRequestStorage pkce.PKCERequestStorage } diff --git a/internal/groupsuffix/groupsuffix_test.go b/internal/groupsuffix/groupsuffix_test.go index bf7f3af4d..8a40084f5 100644 --- a/internal/groupsuffix/groupsuffix_test.go +++ b/internal/groupsuffix/groupsuffix_test.go @@ -14,7 +14,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" - authv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" "go.pinniped.dev/internal/kubeclient" @@ -154,11 +154,11 @@ func TestMiddlware(t *testing.T) { ) tokenCredentialRequestWithPinnipedAuthenticator := with( tokenCredentialRequest, - authenticatorAPIGroup(authv1alpha1.SchemeGroupVersion.Group), + authenticatorAPIGroup(authenticationv1alpha1.SchemeGroupVersion.Group), ) tokenCredentialRequestWithCustomAPIGroupAuthenticator := with( tokenCredentialRequest, - authenticatorAPIGroup(replaceGV(t, authv1alpha1.SchemeGroupVersion, newSuffix).Group), + authenticatorAPIGroup(replaceGV(t, authenticationv1alpha1.SchemeGroupVersion, newSuffix).Group), ) tokenCredentialRequestWithNewGroup := with( tokenCredentialRequest, @@ -166,11 +166,11 @@ func TestMiddlware(t *testing.T) { ) tokenCredentialRequestWithNewGroupAndPinnipedAuthenticator := with( tokenCredentialRequestWithNewGroup, - authenticatorAPIGroup(authv1alpha1.SchemeGroupVersion.Group), + authenticatorAPIGroup(authenticationv1alpha1.SchemeGroupVersion.Group), ) tokenCredentialRequestWithNewGroupAndCustomAPIGroupAuthenticator := with( tokenCredentialRequestWithNewGroup, - authenticatorAPIGroup(replaceGV(t, authv1alpha1.SchemeGroupVersion, newSuffix).Group), + authenticatorAPIGroup(replaceGV(t, authenticationv1alpha1.SchemeGroupVersion, newSuffix).Group), ) tests := []struct { diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 7f3925c11..1be051b6e 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -39,7 +39,7 @@ import ( "k8s.io/utils/clock" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" - supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" + pinnipedsupervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" supervisoropenapi "go.pinniped.dev/generated/latest/client/supervisor/openapi" @@ -141,7 +141,7 @@ func prepareControllers( secretCache *secret.Cache, supervisorDeployment *appsv1.Deployment, kubeClient kubernetes.Interface, - pinnipedClient supervisorclientset.Interface, + pinnipedClient pinnipedsupervisorclientset.Interface, aggregatorClient aggregatorclient.Interface, kubeInformers k8sinformers.SharedInformerFactory, pinnipedInformers supervisorinformers.SharedInformerFactory, diff --git a/internal/testutil/assertions.go b/internal/testutil/assertions.go index ec4211c1d..e104f7a7b 100644 --- a/internal/testutil/assertions.go +++ b/internal/testutil/assertions.go @@ -12,7 +12,7 @@ import ( "time" "github.com/stretchr/testify/require" - v12 "k8s.io/apimachinery/pkg/apis/meta/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" v1 "k8s.io/client-go/kubernetes/typed/core/v1" @@ -49,7 +49,7 @@ func RequireEqualContentType(t *testing.T, actual string, expected string) { func RequireNumberOfSecretsMatchingLabelSelector(t *testing.T, secrets v1.SecretInterface, labelSet labels.Set, expectedNumberOfSecrets int) { t.Helper() - storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{ + storedAuthcodeSecrets, err := secrets.List(context.Background(), metav1.ListOptions{ LabelSelector: labelSet.String(), }) require.NoError(t, err) @@ -66,7 +66,7 @@ func RequireNumberOfSecretsExcludingLabelSelector(t *testing.T, secrets v1.Secre selector = selector.Add(*requirement) } - storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{ + storedAuthcodeSecrets, err := secrets.List(context.Background(), metav1.ListOptions{ LabelSelector: selector.String(), }) require.NoError(t, err) diff --git a/internal/testutil/conciergetestutil/tlstestutil.go b/internal/testutil/conciergetestutil/tlstestutil.go index f99ba4e86..1f275c89f 100644 --- a/internal/testutil/conciergetestutil/tlstestutil.go +++ b/internal/testutil/conciergetestutil/tlstestutil.go @@ -8,10 +8,10 @@ import ( "encoding/base64" "encoding/pem" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" ) -func TLSSpecFromTLSConfig(tls *tls.Config) *auth1alpha1.TLSSpec { +func TLSSpecFromTLSConfig(tls *tls.Config) *authenticationv1alpha1.TLSSpec { pemData := make([]byte, 0) for _, certificate := range tls.Certificates { // this is the public part of the certificate, the private is the certificate.PrivateKey @@ -22,7 +22,7 @@ func TLSSpecFromTLSConfig(tls *tls.Config) *auth1alpha1.TLSSpec { })...) } } - return &auth1alpha1.TLSSpec{ + return &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString(pemData), } } diff --git a/internal/testutil/kube_server_compatibility.go b/internal/testutil/kube_server_compatibility.go index f4a5275e0..91764e57f 100644 --- a/internal/testutil/kube_server_compatibility.go +++ b/internal/testutil/kube_server_compatibility.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/require" certificatesv1 "k8s.io/api/certificates/v1" - v1 "k8s.io/api/core/v1" + corev1 "k8s.io/api/core/v1" "k8s.io/client-go/discovery" ) @@ -66,7 +66,7 @@ func CheckServiceAccountExtraFieldsAccountingForChangesInK8s1_30[M ~map[string]V t *testing.T, discoveryClient discovery.DiscoveryInterface, actualExtras M, - expectedPodValues *v1.Pod, + expectedPodValues *corev1.Pod, ) { t.Helper() diff --git a/internal/upstreamoidc/upstreamoidc_test.go b/internal/upstreamoidc/upstreamoidc_test.go index 904bf6b21..58f228fa8 100644 --- a/internal/upstreamoidc/upstreamoidc_test.go +++ b/internal/upstreamoidc/upstreamoidc_test.go @@ -16,7 +16,7 @@ import ( "time" "unsafe" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/go-jose/go-jose/v3" "github.com/stretchr/testify/require" "go.uber.org/mock/gomock" @@ -108,7 +108,7 @@ func TestProviderConfig(t *testing.T) { wantToken oidctypes.Token rawClaims []byte - userInfo *oidc.UserInfo + userInfo *coreosoidc.UserInfo userInfoErr error wantUserInfoCalled bool }{ @@ -204,7 +204,7 @@ func TestProviderConfig(t *testing.T) { name: "user info sub error", returnIDTok: validIDToken, wantErr: "could not fetch user info claims: userinfo 'sub' claim (test-user-2) did not match id_token 'sub' claim (test-user)", - userInfo: &oidc.UserInfo{Subject: "test-user-2"}, + userInfo: &coreosoidc.UserInfo{Subject: "test-user-2"}, }, { name: "user info is not json", @@ -746,7 +746,7 @@ func TestProviderConfig(t *testing.T) { nonce nonce.Nonce requireIDToken bool requireUserInfo bool - userInfo *oidc.UserInfo + userInfo *coreosoidc.UserInfo rawClaims []byte userInfoErr error wantErr string @@ -1127,7 +1127,7 @@ func TestProviderConfig(t *testing.T) { wantToken oidctypes.Token rawClaims []byte - userInfo *oidc.UserInfo + userInfo *coreosoidc.UserInfo userInfoErr error wantUserInfoCalled bool }{ @@ -1260,7 +1260,7 @@ func TestProviderConfig(t *testing.T) { authCode: "valid", returnIDTok: validIDToken, wantErr: "could not fetch user info claims: userinfo 'sub' claim (test-user-2) did not match id_token 'sub' claim (test-user)", - userInfo: &oidc.UserInfo{Subject: "test-user-2"}, + userInfo: &coreosoidc.UserInfo{Subject: "test-user-2"}, }, { name: "user info is not json", @@ -1407,8 +1407,8 @@ func TestProviderConfig(t *testing.T) { }) } -// mockVerifier returns an *oidc.IDTokenVerifier that validates any correctly serialized JWT without doing much else. -func mockVerifier() *oidc.IDTokenVerifier { +// mockVerifier returns an *coreosoidc.IDTokenVerifier that validates any correctly serialized JWT without doing much else. +func mockVerifier() *coreosoidc.IDTokenVerifier { mockKeySet := mockkeyset.NewMockKeySet(gomock.NewController(nil)) mockKeySet.EXPECT().VerifySignature(gomock.Any(), gomock.Any()). AnyTimes(). @@ -1420,7 +1420,7 @@ func mockVerifier() *oidc.IDTokenVerifier { return jws.UnsafePayloadWithoutVerification(), nil }) - return oidc.NewVerifier("", mockKeySet, &oidc.Config{ + return coreosoidc.NewVerifier("", mockKeySet, &coreosoidc.Config{ SkipIssuerCheck: true, SkipExpiryCheck: true, SkipClientIDCheck: true, @@ -1430,17 +1430,19 @@ func mockVerifier() *oidc.IDTokenVerifier { type mockProvider struct { called bool rawClaims []byte - userInfo *oidc.UserInfo + userInfo *coreosoidc.UserInfo userInfoErr error } -func (m *mockProvider) Verifier(_ *oidc.Config) *oidc.IDTokenVerifier { return mockVerifier() } +func (m *mockProvider) Verifier(_ *coreosoidc.Config) *coreosoidc.IDTokenVerifier { + return mockVerifier() +} func (m *mockProvider) Claims(v interface{}) error { return json.Unmarshal(m.rawClaims, v) } -func (m *mockProvider) UserInfo(_ context.Context, tokenSource oauth2.TokenSource) (*oidc.UserInfo, error) { +func (m *mockProvider) UserInfo(_ context.Context, tokenSource oauth2.TokenSource) (*coreosoidc.UserInfo, error) { m.called = true token, err := tokenSource.Token() @@ -1454,8 +1456,8 @@ func (m *mockProvider) UserInfo(_ context.Context, tokenSource oauth2.TokenSourc return m.userInfo, m.userInfoErr } -func forceUserInfoWithClaims(subject string, claims string) *oidc.UserInfo { - userInfo := &oidc.UserInfo{Subject: subject} +func forceUserInfoWithClaims(subject string, claims string) *coreosoidc.UserInfo { + userInfo := &coreosoidc.UserInfo{Subject: subject} // this is some dark magic to set a private field claimsField := reflect.ValueOf(userInfo).Elem().FieldByName("claims") diff --git a/pkg/conciergeclient/conciergeclient.go b/pkg/conciergeclient/conciergeclient.go index 895089bd8..8c68c691d 100644 --- a/pkg/conciergeclient/conciergeclient.go +++ b/pkg/conciergeclient/conciergeclient.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package conciergeclient provides login helpers for the Pinniped concierge. @@ -18,7 +18,7 @@ import ( "k8s.io/client-go/tools/clientcmd" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" "go.pinniped.dev/internal/constable" @@ -49,10 +49,10 @@ func WithAuthenticator(authType, authName string) Option { authenticator := corev1.TypedLocalObjectReference{Name: authName} switch strings.ToLower(authType) { case "webhook": - authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group + authenticator.APIGroup = &authenticationv1alpha1.SchemeGroupVersion.Group authenticator.Kind = "WebhookAuthenticator" case "jwt": - authenticator.APIGroup = &auth1alpha1.SchemeGroupVersion.Group + authenticator.APIGroup = &authenticationv1alpha1.SchemeGroupVersion.Group authenticator.Kind = "JWTAuthenticator" default: return fmt.Errorf(`invalid authenticator type: %q, supported values are "webhook" and "jwt"`, authType) diff --git a/pkg/oidcclient/nonce/nonce_test.go b/pkg/oidcclient/nonce/nonce_test.go index 0ba3a7ce9..2c3d79ec8 100644 --- a/pkg/oidcclient/nonce/nonce_test.go +++ b/pkg/oidcclient/nonce/nonce_test.go @@ -1,4 +1,4 @@ -// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package nonce @@ -9,7 +9,7 @@ import ( "net/url" "testing" - "github.com/coreos/go-oidc/v3/oidc" + coreosoidc "github.com/coreos/go-oidc/v3/oidc" "github.com/stretchr/testify/require" "golang.org/x/oauth2" ) @@ -25,10 +25,10 @@ func TestNonce(t *testing.T) { require.NoError(t, err) require.Equal(t, n.String(), authCodeURL.Query().Get("nonce")) - require.Error(t, n.Validate(&oidc.IDToken{})) - require.NoError(t, n.Validate(&oidc.IDToken{Nonce: string(n)})) + require.Error(t, n.Validate(&coreosoidc.IDToken{})) + require.NoError(t, n.Validate(&coreosoidc.IDToken{Nonce: string(n)})) - err = n.Validate(&oidc.IDToken{Nonce: string(n) + "x"}) + err = n.Validate(&coreosoidc.IDToken{Nonce: string(n) + "x"}) require.Error(t, err) require.True(t, errors.As(err, &InvalidNonceError{})) require.Contains(t, err.Error(), string(n)+"x") diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go index f3cf3b80c..ff32f5bea 100644 --- a/test/integration/cli_test.go +++ b/test/integration/cli_test.go @@ -26,7 +26,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" - "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1" conciergescheme "go.pinniped.dev/internal/concierge/scheme" "go.pinniped.dev/pkg/oidcclient" @@ -43,7 +43,7 @@ func TestCLIGetKubeconfigStaticToken_Parallel(t *testing.T) { ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute) defer cancelFunc() - authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady) + authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady) // Build pinniped CLI. pinnipedExe := testlib.PinnipedCLIPath(t) diff --git a/test/integration/concierge_api_serving_certs_test.go b/test/integration/concierge_api_serving_certs_test.go index 7b35390ae..a91141265 100644 --- a/test/integration/concierge_api_serving_certs_test.go +++ b/test/integration/concierge_api_serving_certs_test.go @@ -12,7 +12,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" - "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/test/testlib" @@ -83,7 +83,7 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) { // Create a testWebhook so we have a legitimate authenticator to pass to the // TokenCredentialRequest API. - testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady) + testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady) // Get the initial auto-generated version of the Secret. secret, err := kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{}) diff --git a/test/integration/concierge_client_test.go b/test/integration/concierge_client_test.go index 6a7ffae76..7ea58ee97 100644 --- a/test/integration/concierge_client_test.go +++ b/test/integration/concierge_client_test.go @@ -11,7 +11,7 @@ import ( "github.com/stretchr/testify/require" - "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" "go.pinniped.dev/internal/here" "go.pinniped.dev/pkg/conciergeclient" "go.pinniped.dev/test/testlib" @@ -59,7 +59,7 @@ func TestClient(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady) + webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady) // Use an invalid certificate/key to validate that the ServerVersion API fails like we assume. invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey) diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index cf3b84191..491f745bc 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -17,7 +17,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" "go.pinniped.dev/test/testlib" ) @@ -33,7 +33,7 @@ func TestUnsuccessfulCredentialRequest_Parallel(t *testing.T) { loginv1alpha1.TokenCredentialRequestSpec{ Token: env.TestUser.Token, Authenticator: corev1.TypedLocalObjectReference{ - APIGroup: &auth1alpha1.SchemeGroupVersion.Group, + APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group, Kind: "WebhookAuthenticator", Name: "some-webhook-that-does-not-exist", }, @@ -62,7 +62,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) { { name: "webhook", authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference { - return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady) + return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady) }, token: func(t *testing.T) (string, string, []string) { return testlib.IntegrationEnv(t).TestUser.Token, env.TestUser.ExpectedUsername, env.TestUser.ExpectedGroups @@ -73,7 +73,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) { authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference { authenticator := testlib.CreateTestJWTAuthenticatorForCLIUpstream(ctx, t) return corev1.TypedLocalObjectReference{ - APIGroup: &auth1alpha1.SchemeGroupVersion.Group, + APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group, Kind: "JWTAuthenticator", Name: authenticator.Name, } @@ -148,7 +148,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic // TokenCredentialRequest API. ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady) + testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady) response, err := testlib.CreateTokenCredentialRequest(context.Background(), t, loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook}, @@ -169,7 +169,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t * // TokenCredentialRequest API. ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady) + testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady) response, err := testlib.CreateTokenCredentialRequest(context.Background(), t, loginv1alpha1.TokenCredentialRequestSpec{Token: "", Authenticator: testWebhook}, diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index 8713769af..98f6cd2f0 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -61,7 +61,7 @@ import ( "k8s.io/client-go/util/retry" "k8s.io/utils/ptr" - "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1" identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1" loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" @@ -121,7 +121,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl // Create a WebhookAuthenticator and prepare a TokenCredentialRequestSpec using the authenticator for use later. credentialRequestSpecWithWorkingCredentials := loginv1alpha1.TokenCredentialRequestSpec{ Token: env.TestUser.Token, - Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady), + Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady), } // The address of the ClusterIP service that points at the impersonation proxy's port (used when there is no load balancer). diff --git a/test/integration/concierge_jwtauthenticator_status_test.go b/test/integration/concierge_jwtauthenticator_status_test.go index dca246aff..8c77da8ac 100644 --- a/test/integration/concierge_jwtauthenticator_status_test.go +++ b/test/integration/concierge_jwtauthenticator_status_test.go @@ -14,7 +14,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" "go.pinniped.dev/test/testlib" ) @@ -31,13 +31,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { name: "valid spec with no errors and all good status conditions and phase will result in a jwt authenticator that is ready", run: func(t *testing.T) { caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)) - jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{ + jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.SupervisorUpstreamOIDC.Issuer, Audience: "some-fake-audience", - TLS: &v1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: caBundleString, }, - }, v1alpha1.JWTAuthenticatorPhaseReady) + }, authenticationv1alpha1.JWTAuthenticatorPhaseReady) testlib.WaitForJWTAuthenticatorStatusConditions( ctx, t, @@ -49,13 +49,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { name: "valid spec with invalid CA in TLS config will result in a jwt authenticator that is not ready", run: func(t *testing.T) { caBundleString := "invalid base64-encoded data" - jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{ + jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.SupervisorUpstreamOIDC.Issuer, Audience: "some-fake-audience", - TLS: &v1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: caBundleString, }, - }, v1alpha1.JWTAuthenticatorPhaseError) + }, authenticationv1alpha1.JWTAuthenticatorPhaseError) testlib.WaitForJWTAuthenticatorStatusConditions( ctx, t, @@ -102,16 +102,16 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { name: "valid spec with valid CA in TLS config but does not match issuer server will result in a jwt authenticator that is not ready", run: func(t *testing.T) { caBundleString := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" - jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{ + jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.SupervisorUpstreamOIDC.Issuer, Audience: "some-fake-audience", // Some random generated cert // Issuer: C=US, O=Pivotal // No SAN provided - TLS: &v1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: caBundleString, }, - }, v1alpha1.JWTAuthenticatorPhaseError) + }, authenticationv1alpha1.JWTAuthenticatorPhaseError) testlib.WaitForJWTAuthenticatorStatusConditions( ctx, t, @@ -159,13 +159,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { run: func(t *testing.T) { caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)) fakeIssuerURL := "https://127.0.0.1:443/some-fake-issuer" - jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{ + jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: fakeIssuerURL, Audience: "some-fake-audience", - TLS: &v1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: caBundleString, }, - }, v1alpha1.JWTAuthenticatorPhaseError) + }, authenticationv1alpha1.JWTAuthenticatorPhaseError) testlib.WaitForJWTAuthenticatorStatusConditions( ctx, t, @@ -223,14 +223,14 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { objectMeta := testlib.ObjectMetaWithRandomName(t, "jwt-authenticator") tests := []struct { name string - jwtAuthenticator *v1alpha1.JWTAuthenticator + jwtAuthenticator *authenticationv1alpha1.JWTAuthenticator wantErr string }{ { name: "issuer can not be empty string", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: objectMeta, - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "", Audience: "fake-audience", }, @@ -240,9 +240,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "audience can not be empty string", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: objectMeta, - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "https://example.com", Audience: "", }, @@ -252,9 +252,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "issuer must be https", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: objectMeta, - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: "http://www.example.com", Audience: "foo", }, @@ -264,9 +264,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "minimum valid authenticator", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.CLIUpstreamOIDC.Issuer, Audience: "foo", }, @@ -274,23 +274,23 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "valid authenticator can have empty claims block", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.CLIUpstreamOIDC.Issuer, Audience: "foo", - Claims: v1alpha1.JWTTokenClaims{}, + Claims: authenticationv1alpha1.JWTTokenClaims{}, }, }, }, { name: "valid authenticator can have empty group claim and empty username claim", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.CLIUpstreamOIDC.Issuer, Audience: "foo", - Claims: v1alpha1.JWTTokenClaims{ + Claims: authenticationv1alpha1.JWTTokenClaims{ Groups: "", Username: "", }, @@ -299,31 +299,31 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "valid authenticator can have empty TLS block", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.CLIUpstreamOIDC.Issuer, Audience: "foo", - Claims: v1alpha1.JWTTokenClaims{ + Claims: authenticationv1alpha1.JWTTokenClaims{ Groups: "", Username: "", }, - TLS: &v1alpha1.TLSSpec{}, + TLS: &authenticationv1alpha1.TLSSpec{}, }, }, }, { name: "valid authenticator can have empty TLS CertificateAuthorityData", - jwtAuthenticator: &v1alpha1.JWTAuthenticator{ + jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), - Spec: v1alpha1.JWTAuthenticatorSpec{ + Spec: authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: env.CLIUpstreamOIDC.Issuer, Audience: "foo", - Claims: v1alpha1.JWTTokenClaims{ + Claims: authenticationv1alpha1.JWTTokenClaims{ Groups: "", Username: "", }, - TLS: &v1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: "pretend-this-is-a-certificate", }, }, diff --git a/test/integration/concierge_webhookauthenticator_status_test.go b/test/integration/concierge_webhookauthenticator_status_test.go index 6b1e1f937..2a68ec5fa 100644 --- a/test/integration/concierge_webhookauthenticator_status_test.go +++ b/test/integration/concierge_webhookauthenticator_status_test.go @@ -12,7 +12,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" "go.pinniped.dev/test/testlib" ) @@ -25,30 +25,30 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { tests := []struct { name string - spec func() *v1alpha1.WebhookAuthenticatorSpec - initialPhase v1alpha1.WebhookAuthenticatorPhase + spec func() *authenticationv1alpha1.WebhookAuthenticatorSpec + initialPhase authenticationv1alpha1.WebhookAuthenticatorPhase finalConditions []metav1.Condition run func(t *testing.T) }{ { name: "Basic test to see if the WebhookAuthenticator wakes up or not.", - spec: func() *v1alpha1.WebhookAuthenticatorSpec { + spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { return &testlib.IntegrationEnv(t).TestWebhook }, - initialPhase: v1alpha1.WebhookAuthenticatorPhaseReady, + initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseReady, finalConditions: allSuccessfulWebhookAuthenticatorConditions(), }, { name: "valid spec with invalid CA in TLS config will result in a WebhookAuthenticator that is not ready", - spec: func() *v1alpha1.WebhookAuthenticatorSpec { + spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { caBundleString := "invalid base64-encoded data" webhookSpec := testEnv.TestWebhook.DeepCopy() - webhookSpec.TLS = &v1alpha1.TLSSpec{ + webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: caBundleString, } return webhookSpec }, - initialPhase: v1alpha1.WebhookAuthenticatorPhaseError, + initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, finalConditions: replaceSomeConditions( allSuccessfulWebhookAuthenticatorConditions(), []metav1.Condition{ @@ -78,14 +78,14 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { }, { name: "valid spec with valid CA in TLS config but does not match issuer server will result in a WebhookAuthenticator that is not ready", - spec: func() *v1alpha1.WebhookAuthenticatorSpec { + spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { webhookSpec := testEnv.TestWebhook.DeepCopy() - webhookSpec.TLS = &v1alpha1.TLSSpec{ + webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: caBundleSomePivotalCA, } return webhookSpec }, - initialPhase: v1alpha1.WebhookAuthenticatorPhaseError, + initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, finalConditions: replaceSomeConditions( allSuccessfulWebhookAuthenticatorConditions(), []metav1.Condition{ @@ -110,15 +110,15 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { }, { name: "invalid with unresponsive endpoint will result in a WebhookAuthenticator that is not ready", - spec: func() *v1alpha1.WebhookAuthenticatorSpec { + spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { webhookSpec := testEnv.TestWebhook.DeepCopy() - webhookSpec.TLS = &v1alpha1.TLSSpec{ + webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: caBundleSomePivotalCA, } webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint" return webhookSpec }, - initialPhase: v1alpha1.WebhookAuthenticatorPhaseError, + initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, finalConditions: replaceSomeConditions( allSuccessfulWebhookAuthenticatorConditions(), []metav1.Condition{ @@ -171,14 +171,14 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) { objectMeta := testlib.ObjectMetaWithRandomName(t, "webhook-authenticator") tests := []struct { name string - webhookAuthenticator *v1alpha1.WebhookAuthenticator + webhookAuthenticator *authenticationv1alpha1.WebhookAuthenticator wantErr string }{ { name: "endpoint can not be empty string", - webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ + webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: objectMeta, - Spec: v1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "", }, }, @@ -187,9 +187,9 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "endpoint must be https", - webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ + webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: objectMeta, - Spec: v1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "http://www.example.com", }, }, @@ -198,30 +198,30 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) { }, { name: "minimum valid authenticator", - webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ + webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "webhook"), - Spec: v1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://localhost/webhook-isnt-actually-here", }, }, }, { name: "valid authenticator can have empty TLS block", - webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ + webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "webhook"), - Spec: v1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://localhost/webhook-isnt-actually-here", - TLS: &v1alpha1.TLSSpec{}, + TLS: &authenticationv1alpha1.TLSSpec{}, }, }, }, { name: "valid authenticator can have empty TLS CertificateAuthorityData", - webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ + webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), - Spec: v1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://localhost/webhook-isnt-actually-here", - TLS: &v1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: "", }, }, @@ -230,11 +230,11 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) { { // since the CRD validations do not assess fitness of the value provided name: "valid authenticator can have TLS CertificateAuthorityData string that is an invalid certificate", - webhookAuthenticator: &v1alpha1.WebhookAuthenticator{ + webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"), - Spec: v1alpha1.WebhookAuthenticatorSpec{ + Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{ Endpoint: "https://localhost/webhook-isnt-actually-here", - TLS: &v1alpha1.TLSSpec{ + TLS: &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: "pretend-this-is-a-certificate", }, }, diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index b65d0a472..f81206ede 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -34,7 +34,7 @@ import ( utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/utils/ptr" - authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1" @@ -115,11 +115,11 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // Create a JWTAuthenticator that will validate the tokens from the downstream issuer. // If the FederationDomain is not Ready, the JWTAuthenticator cannot be ready, either. clusterAudience := "test-cluster-" + testlib.RandHex(t, 8) - authenticator := testlib.CreateTestJWTAuthenticator(topSetupCtx, t, authv1alpha.JWTAuthenticatorSpec{ + authenticator := testlib.CreateTestJWTAuthenticator(topSetupCtx, t, authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: federationDomain.Spec.Issuer, Audience: clusterAudience, - TLS: &authv1alpha.TLSSpec{CertificateAuthorityData: testCABundleBase64}, - }, authv1alpha.JWTAuthenticatorPhaseError) + TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64}, + }, authenticationv1alpha1.JWTAuthenticatorPhaseError) // Add an OIDC upstream IDP and try using it to authenticate during kubectl commands. t.Run("with Supervisor OIDC upstream IDP and browser flow with with form_post automatic authcode delivery to CLI", func(t *testing.T) { @@ -164,7 +164,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { }, }, idpv1alpha1.PhaseReady) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -250,7 +250,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { }, }, idpv1alpha1.PhaseReady) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -338,7 +338,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { }, }, idpv1alpha1.PhaseReady) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -462,7 +462,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { }, }, idpv1alpha1.PhaseReady) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -593,7 +593,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { }, }, idpv1alpha1.PhaseReady) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -666,7 +666,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { }, }, idpv1alpha1.PhaseReady) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -730,7 +730,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -789,7 +789,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -852,7 +852,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -923,7 +923,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -982,7 +982,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -1055,7 +1055,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -1110,7 +1110,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -1165,7 +1165,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -1242,7 +1242,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // Having one IDP should put the FederationDomain into a ready state. testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster. testlib.CreateTestClusterRoleBinding(t, @@ -1276,7 +1276,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // Having a second IDP should put the FederationDomain back into an error state until we tell it which one to use. testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseError) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Update the FederationDomain to use the two IDPs. federationDomainsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().FederationDomains(env.SupervisorNamespace) @@ -1371,7 +1371,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // The FederationDomain should be valid after the above update. testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/test-sessions.yaml" @@ -1505,7 +1505,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { }, 20*time.Second, 250*time.Millisecond) // The FederationDomain should be valid after the above update. testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Log out so we can try fresh logins again. require.NoError(t, os.Remove(credentialCachePath)) diff --git a/test/integration/supervisor_warnings_test.go b/test/integration/supervisor_warnings_test.go index b07f0a73a..246bad365 100644 --- a/test/integration/supervisor_warnings_test.go +++ b/test/integration/supervisor_warnings_test.go @@ -24,7 +24,7 @@ import ( corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" - authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" "go.pinniped.dev/internal/certauthority" @@ -93,11 +93,11 @@ func TestSupervisorWarnings_Browser(t *testing.T) { // Create a JWTAuthenticator that will validate the tokens from the downstream issuer. // if the FederationDomain is not Ready, the JWTAuthenticator cannot be ready, either. clusterAudience := "test-cluster-" + testlib.RandHex(t, 8) - authenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authv1alpha.JWTAuthenticatorSpec{ + authenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: downstream.Spec.Issuer, Audience: clusterAudience, - TLS: &authv1alpha.TLSSpec{CertificateAuthorityData: testCABundleBase64}, - }, authv1alpha.JWTAuthenticatorPhaseError) + TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64}, + }, authenticationv1alpha1.JWTAuthenticatorPhaseError) const ( yellowColor = "\u001b[33;1m" @@ -111,7 +111,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env) testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml" @@ -259,7 +259,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { sAMAccountName := expectedUsername + "@" + env.SupervisorUpstreamActiveDirectory.Domain createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, sAMAccountName, env) testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml" @@ -421,7 +421,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) { }, }, idpv1alpha1.PhaseReady) testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady) - testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady) + testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady) // Use a specific session cache for this test. sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml" diff --git a/test/testlib/client.go b/test/testlib/client.go index 406ff5cef..35f4c6d72 100644 --- a/test/testlib/client.go +++ b/test/testlib/client.go @@ -27,7 +27,7 @@ import ( aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" "k8s.io/utils/ptr" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" @@ -174,8 +174,8 @@ func NewKubeclient(t *testing.T, config *rest.Config) *kubeclient.Client { func CreateTestWebhookAuthenticator( ctx context.Context, t *testing.T, - webhookSpec *auth1alpha1.WebhookAuthenticatorSpec, - expectedStatus auth1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference { + webhookSpec *authenticationv1alpha1.WebhookAuthenticatorSpec, + expectedStatus authenticationv1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference { t.Helper() client := NewConciergeClientset(t) @@ -184,7 +184,7 @@ func CreateTestWebhookAuthenticator( createContext, cancel := context.WithTimeout(ctx, time.Minute) defer cancel() - webhook, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{ + webhook, err := webhooks.Create(createContext, &authenticationv1alpha1.WebhookAuthenticator{ ObjectMeta: testObjectMeta(t, "webhook"), Spec: *webhookSpec, }, metav1.CreateOptions{}) @@ -205,7 +205,7 @@ func CreateTestWebhookAuthenticator( } return corev1.TypedLocalObjectReference{ - APIGroup: &auth1alpha1.SchemeGroupVersion.Group, + APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group, Kind: "WebhookAuthenticator", Name: webhook.Name, } @@ -215,7 +215,7 @@ func WaitForWebhookAuthenticatorStatusPhase( ctx context.Context, t *testing.T, webhookName string, - expectPhase auth1alpha1.WebhookAuthenticatorPhase) { + expectPhase authenticationv1alpha1.WebhookAuthenticatorPhase) { t.Helper() webhookAuthenticatorClientSet := NewConciergeClientset(t).AuthenticationV1alpha1().WebhookAuthenticators() @@ -256,25 +256,25 @@ func WaitForWebhookAuthenticatorStatusConditions(ctx context.Context, t *testing // deleted at the end of the current test's lifetime. // // CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLIUpstreamOIDC. -func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) *auth1alpha1.JWTAuthenticator { +func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) *authenticationv1alpha1.JWTAuthenticator { t.Helper() testEnv := IntegrationEnv(t) - spec := auth1alpha1.JWTAuthenticatorSpec{ + spec := authenticationv1alpha1.JWTAuthenticatorSpec{ Issuer: testEnv.CLIUpstreamOIDC.Issuer, Audience: testEnv.CLIUpstreamOIDC.ClientID, // The default UsernameClaim is "username" but the upstreams that we use for // integration tests won't necessarily have that claim, so use "sub" here. - Claims: auth1alpha1.JWTTokenClaims{Username: "sub"}, + Claims: authenticationv1alpha1.JWTTokenClaims{Username: "sub"}, } // If the test upstream does not have a CA bundle specified, then don't configure one in the // JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root // CA store. if testEnv.CLIUpstreamOIDC.CABundle != "" { - spec.TLS = &auth1alpha1.TLSSpec{ + spec.TLS = &authenticationv1alpha1.TLSSpec{ CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLIUpstreamOIDC.CABundle)), } } - authenticator := CreateTestJWTAuthenticator(ctx, t, spec, auth1alpha1.JWTAuthenticatorPhaseReady) + authenticator := CreateTestJWTAuthenticator(ctx, t, spec, authenticationv1alpha1.JWTAuthenticatorPhaseReady) return authenticator } @@ -283,8 +283,8 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) func CreateTestJWTAuthenticator( ctx context.Context, t *testing.T, - spec auth1alpha1.JWTAuthenticatorSpec, - expectedStatus auth1alpha1.JWTAuthenticatorPhase) *auth1alpha1.JWTAuthenticator { + spec authenticationv1alpha1.JWTAuthenticatorSpec, + expectedStatus authenticationv1alpha1.JWTAuthenticatorPhase) *authenticationv1alpha1.JWTAuthenticator { t.Helper() client := NewConciergeClientset(t) @@ -293,7 +293,7 @@ func CreateTestJWTAuthenticator( createContext, cancel := context.WithTimeout(ctx, time.Minute) defer cancel() - jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &auth1alpha1.JWTAuthenticator{ + jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &authenticationv1alpha1.JWTAuthenticator{ ObjectMeta: testObjectMeta(t, "jwt-authenticator"), Spec: spec, }, metav1.CreateOptions{}) @@ -314,7 +314,7 @@ func CreateTestJWTAuthenticator( return jwtAuthenticator } -func WaitForJWTAuthenticatorStatusPhase(ctx context.Context, t *testing.T, jwtAuthenticatorName string, expectPhase auth1alpha1.JWTAuthenticatorPhase) { +func WaitForJWTAuthenticatorStatusPhase(ctx context.Context, t *testing.T, jwtAuthenticatorName string, expectPhase authenticationv1alpha1.JWTAuthenticatorPhase) { t.Helper() jwtAuthenticatorClientSet := NewConciergeClientset(t).AuthenticationV1alpha1().JWTAuthenticators() diff --git a/test/testlib/env.go b/test/testlib/env.go index 74ea0ae90..0998c2cfb 100644 --- a/test/testlib/env.go +++ b/test/testlib/env.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package testlib @@ -14,7 +14,7 @@ import ( "github.com/stretchr/testify/require" "sigs.k8s.io/yaml" - auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" + authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" ) type Capability string @@ -39,22 +39,22 @@ type TestEnv struct { skipPodRestartAssertions bool - ToolsNamespace string `json:"toolsNamespace"` - ConciergeNamespace string `json:"conciergeNamespace"` - SupervisorNamespace string `json:"supervisorNamespace"` - ConciergeAppName string `json:"conciergeAppName"` - SupervisorAppName string `json:"supervisorAppName"` - SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"` - ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"` - KubernetesDistribution KubeDistro `json:"kubernetesDistribution"` - Capabilities map[Capability]bool `json:"capabilities"` - TestWebhook auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"` - SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"` - SupervisorHTTPSIngressAddress string `json:"supervisorHttpsIngressAddress"` - SupervisorHTTPSIngressCABundle string `json:"supervisorHttpsIngressCABundle"` - Proxy string `json:"proxy"` - APIGroupSuffix string `json:"apiGroupSuffix"` - ShellContainerImage string `json:"shellContainer"` + ToolsNamespace string `json:"toolsNamespace"` + ConciergeNamespace string `json:"conciergeNamespace"` + SupervisorNamespace string `json:"supervisorNamespace"` + ConciergeAppName string `json:"conciergeAppName"` + SupervisorAppName string `json:"supervisorAppName"` + SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"` + ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"` + KubernetesDistribution KubeDistro `json:"kubernetesDistribution"` + Capabilities map[Capability]bool `json:"capabilities"` + TestWebhook authenticationv1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"` + SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"` + SupervisorHTTPSIngressAddress string `json:"supervisorHttpsIngressAddress"` + SupervisorHTTPSIngressCABundle string `json:"supervisorHttpsIngressCABundle"` + Proxy string `json:"proxy"` + APIGroupSuffix string `json:"apiGroupSuffix"` + ShellContainerImage string `json:"shellContainer"` TestUser struct { Token string `json:"token"` @@ -227,7 +227,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) { result.TestWebhook.Endpoint = needEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT") result.SupervisorNamespace = needEnv(t, "PINNIPED_TEST_SUPERVISOR_NAMESPACE") result.SupervisorAppName = needEnv(t, "PINNIPED_TEST_SUPERVISOR_APP_NAME") - result.TestWebhook.TLS = &auth1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")} + result.TestWebhook.TLS = &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")} result.SupervisorHTTPSIngressAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTPS_INGRESS_ADDRESS") result.SupervisorHTTPSAddress = needEnv(t, "PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS")