- "Ready" condition & supporting conditions
- Legacy "Phase" for convenience
- Refactor newCachedJWTAuthenticator() func
to improve ability to provide additional conditions
- Update JWTAuthenticator.Status type
- Update RBAC for SA to get/watch/update JWTAuthenticator.Status
- Update logger to plog, add tests for logs & statuses
- update Sync() to reduce enqueue when error is config/user managed, perhaps remove validateJWKSResponse()
- update kind config to include local registry
- configure kind cluster to talk to local registry
- docker build & push pinniped dev code to local registry
- deploy dev code of the following via the local registry:
- concierge
- supervisor
- local-user-authenticator
- Update values.yaml for supervisor,concierge to schema files
- Update values.yaml for local-user-authenticator to schema file
- Add ytt openapi-v3 generation to build carvel package script
- Add supervisor carvel package files
- Add concierge carvel package files
- Add local-user-authenticator carvel package files
- Add hack script to build openapi-v3 files
- add --post-install to hack/prepare-for-integration-tests.sh
- cleanup local registry in kind-down.sh
- webhook_ca_bundle moved in hack script
- adjust were to call post-install script
- deploy/{}/values.yml image_pull_dockerconfigjson type change to base64 string
- Add PINNIPED_USE_LOCAL_KIND_REGISTRY env var
- ensures regular use of hack/prepare-for-integration-tests.sh
- PINNIPED_USE_LOCAL_KIND_REGISTRY=1 ./hack/prepare-for-integration-tests.sh --clean --alternate-deploy ./hack/noop.sh --post-install ./hack/build-carvel-packages.sh
- ./hack/prepare-for-integration-tests.sh --clean
- if PINNIPED_USE_LOCAL_KIND_REGISTRY for kind-down.sh in hack/prepare-for-integration-tests.sh
- Split carvel build & deploy scripts, add --pre-install flag
- add pre-install flag to hack/prepare-for-integration-tests.sh
- split /hack/build-carvel-packages.sh and
/hack/deploy-carvel-packages.sh
- Remove --alternate-deploy-* flags from hack script
- Move scripts to hack/lib/carvel_packages
- Split build.sh deploy.sh
- Separate template files from install artifacts
- Generate all install artifacts in $root/deploy_carvel
- remove $root/deploy_carvel from git
- Extract ytt values to file in hack/prepare-for-integration-tests.sh
- pass registry/repo to carvel build scripts
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
This commit is a WIP commit because it doesn't include many tests
for the new feature.
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
Where possible, use securityContext settings which will work with the
most restrictive Pod Security Admission policy level (as of Kube 1.25).
Where privileged containers are needed, use the namespace-level
annotation to allow them.
Also adjust some integration tests to make similar changes to allow the
integration tests to pass on test clusters which use restricted PSAs.
The following validation is enforced:
1. Names must start with client.oauth.pinniped.dev-
2. Redirect URIs must start with https://
or http://127.0.0.1
or http://::1
3. All spec lists must not have duplicates
Added an integration test to assert all static validations.
Signed-off-by: Monis Khan <mok@vmware.com>
