mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-17 11:13:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: mirrors:main
Branches Tags
mirrors:main mirrors:dependabot/docker/dockerfiles/eks-deployer/ci/amazon/aws-cli-2.33.1 mirrors:dependabot/docker/dockerfiles/gh-cli/ci/golang-1.26rc2 mirrors:dependabot/docker/dockerfiles/test-cfssl/ci/golang-1.26rc2 mirrors:dependabot/docker/dockerfiles/crane/ci/golang-1.26rc2 mirrors:dependabot/docker/pipelines/shared-helpers/test-binaries-image/ci/golang-1.26rc2-bookworm mirrors:dependabot/docker/dockerfiles/code-coverage-uploader/ci/golang-1.26rc2 mirrors:dependabot/docker/dockerfiles/integration-test-runner/ci/google/cloud-sdk-552.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner-beta/ci/google/cloud-sdk-552.0.0-slim mirrors:dependabot/docker/dockerfiles/k8s-app-deployer/ci/google/cloud-sdk-552.0.0-slim mirrors:pinny/bump-deps mirrors:dependabot/docker/dockerfiles/test-forward-proxy/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/pool-trigger-resource/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/code-coverage-uploader/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/deployment-yaml-formatter/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/gh-cli/ci/debian-13.3-slim mirrors:dependabot/go_modules/hack/update-go-mod/golang.org/x/mod-0.32.0 mirrors:ci mirrors:jtc/freeze-k8s-utils mirrors:jtc/add-a-bunch-of-groups mirrors:poc/AuditEventFrom_replacement mirrors:jtc/bump-to-k8s-0-34-0 mirrors:move_ci mirrors:upgrade_linter_may_2025 mirrors:jtc/bump-to-k8s-1-32-libs mirrors:jtc/backfill-test mirrors:jtc/warn-when-tokens-are-large mirrors:jtc/externally-configured-serving-certs mirrors:jtc/use-soft-memory-limit-1103 mirrors:poc/session_length mirrors:jtc/propose-opt-out-of-self-signed-cas mirrors:poc/kube_csr_api mirrors:release-0.12 mirrors:poc/client-side-logout mirrors:release-0.4
mirrors:v0.43.0 mirrors:v0.42.0 mirrors:v0.41.0 mirrors:v0.40.0 mirrors:v0.39.0 mirrors:v0.38.0 mirrors:v0.37.0 mirrors:v0.36.0 mirrors:v0.35.0 mirrors:v0.34.0 mirrors:v0.33.0 mirrors:v0.32.0 mirrors:v0.31.0 mirrors:v0.30.0 mirrors:v0.29.0 mirrors:v0.28.0 mirrors:v0.27.0 mirrors:v0.26.0 mirrors:v0.25.0 mirrors:v0.24.0 mirrors:v0.23.0 mirrors:v0.22.0 mirrors:v0.21.0 mirrors:v0.20.0 mirrors:v0.19.0 mirrors:v0.18.0 mirrors:v0.17.0 mirrors:v0.16.0 mirrors:v0.15.0 mirrors:v0.12.1 mirrors:v0.14.0 mirrors:v0.13.0 mirrors:v0.12.0 mirrors:v0.11.0 mirrors:v0.10.0 mirrors:v0.4.4 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.4.3 mirrors:v0.8.0 mirrors:v0.4.2 mirrors:v0.7.0 mirrors:v0.6.0 mirrors:v0.5.0 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.0
..
compare: mirrors:poc/session_length
Branches Tags
mirrors:dependabot/docker/dockerfiles/eks-deployer/ci/amazon/aws-cli-2.33.1 mirrors:dependabot/docker/dockerfiles/gh-cli/ci/golang-1.26rc2 mirrors:dependabot/docker/dockerfiles/test-cfssl/ci/golang-1.26rc2 mirrors:dependabot/docker/dockerfiles/crane/ci/golang-1.26rc2 mirrors:dependabot/docker/pipelines/shared-helpers/test-binaries-image/ci/golang-1.26rc2-bookworm mirrors:dependabot/docker/dockerfiles/code-coverage-uploader/ci/golang-1.26rc2 mirrors:dependabot/docker/dockerfiles/integration-test-runner/ci/google/cloud-sdk-552.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner-beta/ci/google/cloud-sdk-552.0.0-slim mirrors:dependabot/docker/dockerfiles/k8s-app-deployer/ci/google/cloud-sdk-552.0.0-slim mirrors:pinny/bump-deps mirrors:dependabot/docker/dockerfiles/test-forward-proxy/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/pool-trigger-resource/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/code-coverage-uploader/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/deployment-yaml-formatter/ci/debian-13.3-slim mirrors:dependabot/docker/dockerfiles/gh-cli/ci/debian-13.3-slim mirrors:dependabot/go_modules/hack/update-go-mod/golang.org/x/mod-0.32.0 mirrors:ci mirrors:main mirrors:jtc/freeze-k8s-utils mirrors:jtc/add-a-bunch-of-groups mirrors:poc/AuditEventFrom_replacement mirrors:jtc/bump-to-k8s-0-34-0 mirrors:move_ci mirrors:upgrade_linter_may_2025 mirrors:jtc/bump-to-k8s-1-32-libs mirrors:jtc/backfill-test mirrors:jtc/warn-when-tokens-are-large mirrors:jtc/externally-configured-serving-certs mirrors:jtc/use-soft-memory-limit-1103 mirrors:poc/session_length mirrors:jtc/propose-opt-out-of-self-signed-cas mirrors:poc/kube_csr_api mirrors:release-0.12 mirrors:poc/client-side-logout mirrors:release-0.4
mirrors:v0.43.0 mirrors:v0.42.0 mirrors:v0.41.0 mirrors:v0.40.0 mirrors:v0.39.0 mirrors:v0.38.0 mirrors:v0.37.0 mirrors:v0.36.0 mirrors:v0.35.0 mirrors:v0.34.0 mirrors:v0.33.0 mirrors:v0.32.0 mirrors:v0.31.0 mirrors:v0.30.0 mirrors:v0.29.0 mirrors:v0.28.0 mirrors:v0.27.0 mirrors:v0.26.0 mirrors:v0.25.0 mirrors:v0.24.0 mirrors:v0.23.0 mirrors:v0.22.0 mirrors:v0.21.0 mirrors:v0.20.0 mirrors:v0.19.0 mirrors:v0.18.0 mirrors:v0.17.0 mirrors:v0.16.0 mirrors:v0.15.0 mirrors:v0.12.1 mirrors:v0.14.0 mirrors:v0.13.0 mirrors:v0.12.0 mirrors:v0.11.0 mirrors:v0.10.0 mirrors:v0.4.4 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.4.3 mirrors:v0.8.0 mirrors:v0.4.2 mirrors:v0.7.0 mirrors:v0.6.0 mirrors:v0.5.0 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.0

1 Commits
main ... poc/sessio

Author SHA1 Message Date
Ryan Richard
fbaf16a208 proof of concept for changing session lifetime for GitHub PATs 2024-11-15 13:03:03 -08:00
2109 changed files with 81471 additions and 114375 deletions
Expand all files Collapse all files

16
.github/ISSUE_TEMPLATE/release_checklist.md vendored
View File

@@ -11,23 +11,21 @@ assignees: ''
# Release checklist
- [ ] Ensure that Pinniped's dependencies have been upgraded, to the extent desired by the team (refer to the diff output from the latest run of the [all-golang-deps-updated](https://ci.pinniped.broadcom.net/teams/main/pipelines/security-scan/jobs/all-golang-deps-updated/) CI job)
- [ ] Ensure that Pinniped's dependencies have been upgraded, to the extent desired by the team (refer to the diff output from the latest run of the [all-golang-deps-updated](https://ci.pinniped.dev/teams/main/pipelines/security-scan/jobs/all-golang-deps-updated/) CI job)
- [ ] If you are updating golang in Pinniped, be sure to update golang in CI as well. Do a search-and-replace to update the version number everywhere in the pinniped `ci` branch.
- [ ] If the Fosite library is being updated and the format of the content of the Supervisor's storage Secrets are changed, or if any change to our own code changes the format of the content of the Supervisor's session storage Secrets, then be sure to update the `accessTokenStorageVersion`, `authorizeCodeStorageVersion`, `oidcStorageVersion`, `pkceStorageVersion`, `refreshTokenStorageVersion`, variables in files such as `internal/fositestorage/accesstoken/accesstoken.go`. Failing tests should signal the need to update these values.
- [ ] For go.mod direct dependencies that are v2 or above, such as `github.com/google/go-github/vXX`, check to see if there is a new major version available. Try using `hack/update-go-mod/update-majors.sh`.
- [ ] Evaluate all `replace` directives in the `go.mod` file. Are those versions up-to-date? Can any `replace` directives be removed?
- [ ] Evaluate all overrides in the `hack/update-go-mod/overrides.conf` file. Are those versions up-to-date? Can those overrides be removed?
- [ ] Ensure that Pinniped's codegen is up-to-date with the latest Kubernetes releases by making sure this [file](https://github.com/vmware/pinniped/blob/main/hack/lib/kube-versions.txt) is updated compared to the latest releases listed [here for active branches](https://kubernetes.io/releases/) and [here for non-active branches](https://kubernetes.io/releases/patch-releases/#non-active-branch-history)
- [ ] For go.mod direct dependencies that are v2 or above, such as `github.com/google/go-github/vXX`, check to see if there is a new major version available.
- [ ] Evaluate all `replace` directives in the `go.mod` file. Are they up to date versions? Can any `replace` directives be removed?
- [ ] Ensure that Pinniped's codegen is up-to-date with the latest Kubernetes releases by making sure this [file](https://github.com/vmware-tanzu/pinniped/blob/main/hack/lib/kube-versions.txt) is updated compared to the latest releases listed [here for active branches](https://kubernetes.io/releases/) and [here for non-active branches](https://kubernetes.io/releases/patch-releases/#non-active-branch-history)
- [ ] Ensure that the `k8s-code-generator` CI job definitions are up-to-date with the latest Go, K8s, and `controller-gen` versions
- [ ] All relevant feature and docs PRs are merged
- [ ] The [main pipeline](https://ci.pinniped.broadcom.net/teams/main/pipelines/main) is green, up to and including the `ready-to-release` job. Check that the expected git commit has passed the `ready-to-release` job.
- [ ] Manually trigger the jobs `run-int-misc`, `run-int-cloud-providers`, and `run-int-k8s-versions` in the main pipeline to run other pre-release tests. Depending on the number of Concourse workers, you may need to run these one at a time.
- [ ] The [main pipeline](https://ci.pinniped.dev/teams/main/pipelines/main) is green, up to and including the `ready-to-release` job. Check that the expected git commit has passed the `ready-to-release` job.
- [ ] Optional: a blog post for the release is written and submitted as a PR but not merged yet
- [ ] All merged user stories are accepted (manually tested)
- [ ] Only after all stories are accepted, manually trigger the `release` job to create a draft GitHub release
- [ ] Manually edit the draft release notes on the [GitHub release](https://github.com/vmware/pinniped/releases) to describe the contents of the release, using the format which was automatically added to the draft release
- [ ] Manually edit the draft release notes on the [GitHub release](https://github.com/vmware-tanzu/pinniped/releases) to describe the contents of the release, using the format which was automatically added to the draft release
- [ ] Publish (i.e. make public) the draft release
- [ ] After making the release public, the jobs in the [main pipeline](https://ci.pinniped.broadcom.net/teams/main/pipelines/main) beyond the release job should auto-trigger, so check to make sure that they passed
- [ ] After making the release public, the jobs in the [main pipeline](https://ci.pinniped.dev/teams/main/pipelines/main) beyond the release job should auto-trigger, so check to make sure that they passed
- [ ] Edit the blog post's date to make it match the actual release date, and merge the blog post PR to make it live on the website
- [ ] Publicize the release via tweets, etc.
- [ ] Close this issue

6
.github/dependabot.yml vendored
View File

@@ -71,6 +71,12 @@ updates:
schedule:
interval: "daily"
target-branch: ci
- package-ecosystem: "docker"
directory: "/dockerfiles/go-lint-runner/"
open-pull-requests-limit: 100
schedule:
interval: "daily"
target-branch: ci
- package-ecosystem: "docker"
directory: "/dockerfiles/integration-test-runner/"
open-pull-requests-limit: 100

273
.golangci.yaml
View File

@@ -1,14 +1,24 @@
# https://golangci-lint.run/usage/configuration/
run:
timeout: 1m
version: "2"
linters:
default: none
disable-all: true
enable:
# default linters
- errcheck
- gosimple
- govet
- ineffassign
- staticcheck
- typecheck
- unused
# additional linters for this project (we should disable these if they get annoying).
- asciicheck
- bodyclose
- copyloopvar
# - depguard
- dogsled
- errcheck
- exhaustive
- funlen
- gochecknoglobals
@@ -17,151 +27,136 @@ linters:
- gocyclo
- godot
- goheader
- goimports
- revive
- goprintffuncname
- gosec
- govet
- importas
- ineffassign
- intrange
- makezero
- misspell
- nakedret
- nestif
- noctx
- nolintlint
- prealloc
- revive
- rowserrcheck
- spancheck
- sqlclosecheck
- staticcheck
- unconvert
- unused
- whitespace
settings:
funlen:
lines: 150
statements: 50
goheader:
values:
regexp:
# YYYY or YYYY-YYYY
YEARS: \d\d\d\d(-\d\d\d\d)?
template: |-
Copyright {{YEARS}} the Pinniped contributors. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
importas:
alias:
- pkg: k8s.io/apimachinery/pkg/util/errors
alias: utilerrors
- pkg: k8s.io/apimachinery/pkg/api/errors
alias: apierrors
- pkg: k8s.io/apimachinery/pkg/apis/meta/v1
alias: metav1
- pkg: k8s.io/api/core/v1
alias: corev1
- pkg: github.com/coreos/go-oidc/v3/oidc
alias: coreosoidc
- pkg: github.com/ory/fosite/handler/oauth2
alias: fositeoauth2
- pkg: github.com/ory/fosite/token/jwt
alias: fositejwt
- pkg: github.com/go-jose/go-jose/v4/jwt
alias: josejwt
- pkg: github.com/go-jose/go-jose/v3
alias: oldjosev3
- pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
alias: authenticationv1alpha1
- pkg: go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1
alias: clientsecretv1alpha1
- pkg: go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
alias: supervisorconfigv1alpha1
- pkg: go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1
alias: conciergeconfigv1alpha1
- pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned
alias: conciergeclientset
- pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme
alias: conciergeclientsetscheme
- pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake
alias: conciergefake
- pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned
alias: supervisorclientset
- pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme
alias: supervisorclientsetscheme
- pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake
alias: supervisorfake
- pkg: k8s.io/client-go/kubernetes/fake
alias: kubefake
- pkg: go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
alias: idpv1alpha1
- pkg: go.pinniped.dev/generated/latest/client/concierge/informers/externalversions
alias: conciergeinformers
- pkg: go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions
alias: supervisorinformers
- pkg: go.pinniped.dev/internal/concierge/scheme
alias: conciergescheme
no-unaliased: true # All packages explicitly listed above must be aliased
no-extra-aliases: false # Allow other aliases than the ones explicitly listed above
revive:
max-open-files: 2048
rules:
# Allow unused params that start with underscore. It can be nice to keep unused param names when implementing
# an interface sometimes, to help readers understand why it is unused in that particular implementation.
- name: unused-parameter
arguments:
- allowRegex: ^_
spancheck:
# https://golangci-lint.run/usage/linters/#spancheck
checks:
- end
- record-error
- set-status
exclusions:
generated: lax
presets:
- comments
- common-false-positives
- legacy
- std-error-handling
rules:
# exclude tests from some rules for things that are useful in a testing context.
- linters:
- funlen
- gochecknoglobals
- revive
path: _test\.go
- linters:
- revive
path: internal/testutil/
paths:
- generated
- third_party$
- builtin$
- examples$
formatters:
enable:
- copyloopvar
- intrange
# - fatcontext Starting in go@1.23.1 and golangci-lint@1.61.0 this gave a lot of false positives
# - canonicalheader Can't do this one since it alerts on valid headers such as X-XSS-Protection
- spancheck
- importas
- makezero
- prealloc
- gofmt
- goimports
settings:
gofmt:
# Simplify code: gofmt with `-s` option.
# Default: true
simplify: false
# Apply the rewrite rules to the source before reformatting.
# https://pkg.go.dev/cmd/gofmt
# Default: []
rewrite-rules:
- pattern: interface{}
replacement: any
- pattern: a[b:len(a)]
replacement: a[b:]
goimports:
local-prefixes:
- go.pinniped.dev
exclusions:
generated: lax
paths:
- generated
- third_party$
- builtin$
- examples$
issues:
exclude-dirs:
- generated
exclude-rules:
# exclude tests from some rules for things that are useful in a testing context.
- path: _test\.go
linters:
- funlen
- gochecknoglobals
- revive
- path: internal/testutil/
linters:
- revive
linters-settings:
funlen:
lines: 150
statements: 50
goheader:
values:
regexp:
# YYYY or YYYY-YYYY
YEARS: \d\d\d\d(-\d\d\d\d)?
template: |-
Copyright {{YEARS}} the Pinniped contributors. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
goimports:
local-prefixes: go.pinniped.dev
revive:
max-open-files: 2048
rules:
- name: unused-parameter
arguments:
# Allow unused params that start with underscore. It can be nice to keep unused param names when implementing
# an interface sometimes, to help readers understand why it is unused in that particular implementation.
- allowRegex: "^_"
spancheck:
# https://golangci-lint.run/usage/linters/#spancheck
checks:
- end
- record-error
- set-status
importas:
no-unaliased: true # All packages explicitly listed below must be aliased
no-extra-aliases: false # Allow other aliases than the ones explicitly listed below
alias:
# k8s.io/apimachinery
- pkg: k8s.io/apimachinery/pkg/util/errors
alias: utilerrors
- pkg: k8s.io/apimachinery/pkg/api/errors
alias: apierrors
- pkg: k8s.io/apimachinery/pkg/apis/meta/v1
alias: metav1
# k8s.io
- pkg: k8s.io/api/core/v1
alias: corev1
# OAuth2/OIDC/Fosite/JOSE
- pkg: github.com/coreos/go-oidc/v3/oidc
alias: coreosoidc
- pkg: github.com/ory/fosite/handler/oauth2
alias: fositeoauth2
- pkg: github.com/ory/fosite/token/jwt
alias: fositejwt
- pkg: github.com/go-jose/go-jose/v4/jwt
alias: josejwt
- pkg: github.com/go-jose/go-jose/v3
alias: oldjosev3
# Generated Pinniped
- pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
alias: authenticationv1alpha1
- pkg: go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1
alias: clientsecretv1alpha1
- pkg: go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1
alias: supervisorconfigv1alpha1
- pkg: go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1
alias: conciergeconfigv1alpha1
- pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned
alias: conciergeclientset
- pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/scheme
alias: conciergeclientsetscheme
- pkg: go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake
alias: conciergefake
- pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned
alias: supervisorclientset
- pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/scheme
alias: supervisorclientsetscheme
- pkg: go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake
alias: supervisorfake
- pkg: go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1
alias: idpv1alpha1
- pkg: go.pinniped.dev/generated/latest/client/concierge/informers/externalversions
alias: conciergeinformers
- pkg: go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions
alias: supervisorinformers
# Pinniped internal
- pkg: go.pinniped.dev/internal/concierge/scheme
alias: conciergescheme
gofmt:
# Simplify code: gofmt with `-s` option.
# Default: true
simplify: false
# Apply the rewrite rules to the source before reformatting.
# https://pkg.go.dev/cmd/gofmt
# Default: []
rewrite-rules:
- pattern: 'interface{}'
replacement: 'any'
- pattern: 'a[b:len(a)]'
replacement: 'a[b:]'

2
ADOPTERS.md
View File

@@ -30,5 +30,5 @@ TMC uses Pinniped to provide a uniform authentication experience across all atta
## Adding your organization to the list of adopters
If you are using Pinniped and would like to be included in the list of Pinniped Adopters, add an SVG version of your logo that is less than 150 KB to
the [img directory](https://github.com/vmware/pinniped/tree/main/site/themes/pinniped/static/img) in this repo and submit a pull request with your change including 1-2 sentences describing how your organization is using Pinniped. Name the image file something that
the [img directory](https://github.com/vmware-tanzu/pinniped/tree/main/site/themes/pinniped/static/img) in this repo and submit a pull request with your change including 1-2 sentences describing how your organization is using Pinniped. Name the image file something that
reflects your company (e.g., if your company is called Acme, name the image acme.svg). Please feel free to send us a message in [#pinniped](https://kubernetes.slack.com/archives/C01BW364RJA) with any questions you may have.

37
CONTRIBUTING.md
View File

@@ -20,26 +20,26 @@ The near-term and mid-term roadmap for the work planned for the project [maintai
## Discussion
Got a question, comment, or idea? Please don't hesitate to reach out
via GitHub [Discussions](https://github.com/vmware/pinniped/discussions),
GitHub [Issues](https://github.com/vmware/pinniped/issues),
via GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions),
GitHub [Issues](https://github.com/vmware-tanzu/pinniped/issues),
or in the Kubernetes Slack Workspace within the [#pinniped channel](https://go.pinniped.dev/community/slack).
Join our [Google Group](https://go.pinniped.dev/community/group) to receive updates and meeting invitations.
## Issues
Need an idea for a project to get started contributing? Take a look at the open
[issues](https://github.com/vmware/pinniped/issues).
[issues](https://github.com/vmware-tanzu/pinniped/issues).
Also check to see if any open issues are labeled with
["good first issue"](https://github.com/vmware/pinniped/labels/good%20first%20issue)
or ["help wanted"](https://github.com/vmware/pinniped/labels/help%20wanted).
["good first issue"](https://github.com/vmware-tanzu/pinniped/labels/good%20first%20issue)
or ["help wanted"](https://github.com/vmware-tanzu/pinniped/labels/help%20wanted).
### Bugs
To file a bug report, please first open an
[issue](https://github.com/vmware/pinniped/issues/new?template=bug_report.md). The project team
[issue](https://github.com/vmware-tanzu/pinniped/issues/new?template=bug_report.md). The project team
will work with you on your bug report.
Once the bug has been validated, a [pull request](https://github.com/vmware/pinniped/compare)
Once the bug has been validated, a [pull request](https://github.com/vmware-tanzu/pinniped/compare)
can be opened to fix the bug.
For specifics on what to include in your bug report, please follow the
@@ -48,11 +48,11 @@ guidelines in the issue and pull request templates.
### Features
To suggest a feature, please first open an
[issue](https://github.com/vmware/pinniped/issues/new?template=feature-proposal.md)
and tag it with `proposal`, or create a new [Discussion](https://github.com/vmware/pinniped/discussions).
[issue](https://github.com/vmware-tanzu/pinniped/issues/new?template=feature-proposal.md)
and tag it with `proposal`, or create a new [Discussion](https://github.com/vmware-tanzu/pinniped/discussions).
The project [maintainers](MAINTAINERS.md) will work with you on your feature request.
Once the feature request has been validated, a [pull request](https://github.com/vmware/pinniped/compare)
Once the feature request has been validated, a [pull request](https://github.com/vmware-tanzu/pinniped/compare)
can be opened to implement the feature.
For specifics on what to include in your feature request, please follow the
@@ -127,7 +127,7 @@ go build -o pinniped ./cmd/pinniped
On macOS, these tools can be installed with [Homebrew](https://brew.sh/) (assuming you have Chrome installed already):
```bash
brew install kind carvel-dev/carvel/ytt carvel-dev/carvel/kapp kubectl nmap && brew cask install docker
brew install kind vmware-tanzu/carvel/ytt vmware-tanzu/carvel/kapp kubectl nmap && brew cask install docker
```
1. Create a kind cluster, compile, create container images, and install Pinniped and supporting test dependencies using:
@@ -144,7 +144,7 @@ go build -o pinniped ./cmd/pinniped
To run specific integration tests, add the `-run` flag to the above command to specify a regexp for the test names.
Use a leading `/` on the regexp because the Pinniped integration tests are automatically nested under several parent tests
(see [integration/main_test.go](https://github.com/vmware/pinniped/blob/main/test/integration/main_test.go)).
(see [integration/main_test.go](https://github.com/vmware-tanzu/pinniped/blob/main/test/integration/main_test.go)).
For example, to run an integration test called `TestE2E`, add `-run /TestE2E` to the command shown above.
1. After making production code changes, recompile, redeploy, and run tests again by repeating the same
@@ -177,20 +177,17 @@ Each run of `hack/prepare-for-integration-tests.sh` can result in different valu
### Observing Tests on the Continuous Integration Environment
CI will not be triggered on a pull request until the pull request is reviewed and
[CI](https://ci.pinniped.dev/teams/main/pipelines/pull-requests)
will not be triggered on a pull request until the pull request is reviewed and
approved for CI by a project [maintainer](MAINTAINERS.md). Once CI is triggered,
the progress and results will appear on the Github page for that
[pull request](https://github.com/vmware/pinniped/pulls) as checks. Links
[pull request](https://github.com/vmware-tanzu/pinniped/pulls) as checks. Links
will appear to view the details of each check.
Starting in mid-2025, Pinniped's CI system is no longer externally visible due to corporate policies.
Please contact the maintainers for help with your PR if you encounter any CI failures.
They will be happy to share CI logs with you directly for your PR.
## CI
Pinniped's CI configuration and code is in the [`ci`](https://github.com/vmware/pinniped/tree/ci)
branch of this repo.
Pinniped's CI configuration and code is in the [`ci`](https://github.com/vmware-tanzu/pinniped/tree/ci)
branch of this repo. The CI results are visible to the public at https://ci.pinniped.dev.
## Documentation

15
Dockerfile
View File

@@ -1,13 +1,13 @@
# syntax=docker/dockerfile:1
# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
ARG BUILD_IMAGE=golang:1.25.5@sha256:6cc2338c038bc20f96ab32848da2b5c0641bb9bb5363f2c33e9b7c8838f9a208
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:2b7c93f6d6648c11f0e80a48558c8f77885eb0445213b8e69a6a0d7c89fc6ae4
ARG BUILD_IMAGE=golang:1.23.3@sha256:73f06be4578c9987ce560087e2e2ea6485fb605e3910542cadd8fa09fc5f3e31
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:d71f4b239be2d412017b798a0a401c44c3049a3ca454838473a4c32ed076bfea
# Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
FROM --platform=$BUILDPLATFORM $BUILD_IMAGE AS build-env
FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env
WORKDIR /work
@@ -21,9 +21,6 @@ ENV KUBE_GIT_VERSION=$KUBE_GIT_VERSION
ARG TARGETOS
ARG TARGETARCH
# If provided, must be a comma-separated list of Go build tags.
ARG ADDITIONAL_BUILD_TAGS
# Build the statically linked (CGO_ENABLED=0) binary.
# Mount source, build cache, and module cache for performance reasons.
# See https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
@@ -32,8 +29,8 @@ RUN \
--mount=type=cache,target=/cache/gocache \
--mount=type=cache,target=/cache/gomodcache \
export GOCACHE=/cache/gocache GOMODCACHE=/cache/gomodcache CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH && \
go build -tags $ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -tags $ADDITIONAL_BUILD_TAGS -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \
go build -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -s" -o /usr/local/bin/pinniped-server ./cmd/pinniped-server/... && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-concierge && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/pinniped-supervisor && \
ln -s /usr/local/bin/pinniped-server /usr/local/bin/local-user-authenticator

4
GOVERNANCE.md
View File

@@ -11,7 +11,7 @@ all members should work together to achieve this goal.
# Code of Conduct
The Pinniped community abides by this
[code of conduct](https://github.com/vmware/pinniped/blob/main/CODE_OF_CONDUCT.md).
[code of conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
# Community Roles
@@ -29,7 +29,7 @@ notifying one of the maintainers.
**Note:** If a maintainer leaves their employer they are still considered a maintainer of Pinniped, unless they
voluntarily resign. Employment is not taken into consideration when determining maintainer eligibility unless the
company itself violates our [Code of Conduct](https://github.com/vmware/pinniped/blob/main/CODE_OF_CONDUCT.md).
company itself violates our [Code of Conduct](https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md).
# Decision Making

8
README.md
View File

@@ -19,8 +19,8 @@ Care to kick the tires? It's easy to [install and try Pinniped](https://pinniped
## Discussion
Got a question, comment, or idea? Please don't hesitate to reach out
via GitHub [Discussions](https://github.com/vmware/pinniped/discussions),
GitHub [Issues](https://github.com/vmware/pinniped/issues),
via GitHub [Discussions](https://github.com/vmware-tanzu/pinniped/discussions),
GitHub [Issues](https://github.com/vmware-tanzu/pinniped/issues),
or in the Kubernetes Slack Workspace within the [#pinniped channel](https://go.pinniped.dev/community/slack).
Join our [Google Group](https://go.pinniped.dev/community/group) to receive updates and meeting invitations.
@@ -37,7 +37,7 @@ building and testing the code, submitting PRs, and other contributor topics.
## Adopters
Some organizations and products using Pinniped are featured in [ADOPTERS.md](ADOPTERS.md).
Add your own organization or product [here](https://github.com/vmware/pinniped/discussions/152).
Add your own organization or product [here](https://github.com/vmware-tanzu/pinniped/discussions/152).
## Reporting security vulnerabilities
@@ -47,4 +47,4 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).
Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE).
Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.

8
ROADMAP.md
View File

@@ -10,17 +10,17 @@ help determine if a contribution could be conflicting with a longer term plan.
Discussion on the roadmap is welcomed. If you want to provide suggestions, use cases, and feedback to an item in the
roadmap, please reach out to the maintainers using one of the methods described in the project's
[README.md](https://github.com/vmware/pinniped#discussion).
[Contributions](https://github.com/vmware/pinniped/blob/main/CONTRIBUTING.md) to Pinniped are also welcomed.
[README.md](https://github.com/vmware-tanzu/pinniped#discussion).
[Contributions](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md) to Pinniped are also welcomed.
### How to add an item to the roadmap
One of the most important aspects in any open source community is the concept of proposals. Large changes to the
codebase and / or new features should be preceded by
a [proposal](https://github.com/vmware/pinniped/tree/main/proposals) in our repo.
a [proposal](https://github.com/vmware-tanzu/pinniped/tree/main/proposals) in our repo.
For smaller enhancements, you can open an issue to track that initiative or feature request.
We work with and rely on community feedback to focus our efforts to improve Pinniped and maintain a healthy roadmap.
Priorities and requirements change based on community feedback, roadblocks encountered, community contributions,
etc. If you depend on a specific item, we encourage you to reach out for updated status information, or help us deliver
that feature by [contributing](https://github.com/vmware/pinniped/blob/main/CONTRIBUTING.md) to Pinniped.
that feature by [contributing](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md) to Pinniped.

10
SECURITY.md
View File

@@ -10,11 +10,11 @@ As of right now, only the latest version of Pinniped is supported.
Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to Pinniped privately, to minimize attacks against current users of Pinniped before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.
If you know of a publicly disclosed security vulnerability for Pinniped, please **IMMEDIATELY** contact the VMware Security Team (vmware.psirt@broadcom.com). The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
If you know of a publicly disclosed security vulnerability for Pinniped, please **IMMEDIATELY** contact the VMware Security Team (security@vmware.com). The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
**IMPORTANT: Do not file public issues on GitHub for security vulnerabilities**
To report a vulnerability or a security-related issue, please contact the VMware email address with the details of the vulnerability. The email will be fielded by the VMware Security Team and then shared with the Pinniped maintainers who have committer and release permissions. Emails will be addressed within 3 business days, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime. Do not report non-security-impacting bugs through this channel. Use [GitHub issues](https://github.com/vmware/pinniped/issues/new/choose) instead.
To report a vulnerability or a security-related issue, please contact the VMware email address with the details of the vulnerability. The email will be fielded by the VMware Security Team and then shared with the Pinniped maintainers who have committer and release permissions. Emails will be addressed within 3 business days, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime. Do not report non-security-impacting bugs through this channel. Use [GitHub issues](https://github.com/vmware-tanzu/pinniped/issues/new/choose) instead.
## Proposed Email Content
@@ -48,13 +48,13 @@ The VMware Security Team will respond to vulnerability reports as follows:
## Public Disclosure Process
The Security Team publishes a [public advisory](https://github.com/vmware/pinniped/security/advisories) to the Pinniped community via GitHub. In most cases, additional communication via Slack, Twitter, mailing lists, blog and other channels will assist in educating Pinniped users and rolling out the patched release to affected users.
The Security Team publishes a [public advisory](https://github.com/vmware-tanzu/pinniped/security/advisories) to the Pinniped community via GitHub. In most cases, additional communication via Slack, Twitter, mailing lists, blog and other channels will assist in educating Pinniped users and rolling out the patched release to affected users.
The Security Team will also publish any mitigating steps users can take until the fix can be applied to their Pinniped instances. Pinniped distributors will handle creating and publishing their own security advisories.
## Mailing lists
* Use vmware.psirt@broadcom.com to report security concerns to the VMware Security Team, who uses the list to privately discuss security issues and fixes prior to disclosure. The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
* Use security@vmware.com to report security concerns to the VMware Security Team, who uses the list to privately discuss security issues and fixes prior to disclosure. The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
* Join the [Pinniped Distributors](https://groups.google.com/g/project-pinniped-distributors) mailing list for early private information and vulnerability disclosure. Early disclosure may include mitigating steps and additional information on security patch releases. See below for information on how Pinniped distributors or vendors can apply to join this list.
## Early Disclosure to Pinniped Distributors List
@@ -81,7 +81,7 @@ The information that members receive on the Pinniped Distributors mailing list m
Before you share any information from the list with members of your team who are required to fix the issue, these team members must agree to the same terms, and only be provided with information on a need-to-know basis.
In the unfortunate event that you share information beyond what is permitted by this policy, you must urgently inform the VMware Security Team (vmware.psirt@broadcom.com) of exactly what information was leaked and to whom. If you continue to leak information and break the policy outlined here, you will be permanently removed from the list.
In the unfortunate event that you share information beyond what is permitted by this policy, you must urgently inform the VMware Security Team (security@vmware.com) of exactly what information was leaked and to whom. If you continue to leak information and break the policy outlined here, you will be permanently removed from the list.
## Requesting to Join

2
apis/concierge/authentication/v1alpha1/doc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
apis/concierge/authentication/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

239
apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -18,7 +18,7 @@ const (
JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
)
// JWTAuthenticatorStatus is the status of a JWT authenticator.
// Status of a JWT authenticator.
type JWTAuthenticatorStatus struct {
// Represents the observations of the authenticator's current state.
// +patchMergeKey=type
@@ -26,255 +26,46 @@ type JWTAuthenticatorStatus struct {
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Phase summarizes the overall status of the JWTAuthenticator.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
}
// JWTAuthenticatorSpec is the spec for configuring a JWT authenticator.
// Spec for configuring a JWT authenticator.
type JWTAuthenticatorSpec struct {
// issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
// Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
// also used to validate the "iss" JWT claim.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://`
Issuer string `json:"issuer"`
// audience is the required value of the "aud" JWT claim.
// Audience is the required value of the "aud" JWT claim.
// +kubebuilder:validation:MinLength=1
Audience string `json:"audience"`
// claims allows customization of the claims that will be mapped to user identity
// Claims allows customization of the claims that will be mapped to user identity
// for Kubernetes access.
// +optional
Claims JWTTokenClaims `json:"claims"`
// claimValidationRules are rules that are applied to validate token claims to authenticate users.
// This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
// https://kubernetes.io/docs/reference/access-authn-authz/authentication.
// This is an advanced configuration option. During an end-user login flow, mistakes in this
// configuration will cause the user's login to fail.
// +optional
ClaimValidationRules []ClaimValidationRule `json:"claimValidationRules,omitempty"`
// userValidationRules are rules that are applied to final user before completing authentication.
// These allow invariants to be applied to incoming identities such as preventing the
// use of the system: prefix that is commonly used by Kubernetes components.
// The validation rules are logically ANDed together and must all return true for the validation to pass.
// This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
// https://kubernetes.io/docs/reference/access-authn-authz/authentication.
// This is an advanced configuration option. During an end-user login flow, mistakes in this
// configuration will cause the user's login to fail.
// +optional
UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"`
// tls is the configuration for communicating with the OIDC provider via TLS.
// TLS configuration for communicating with the OIDC provider.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// ClaimValidationRule provides the configuration for a single claim validation rule.
type ClaimValidationRule struct {
// claim is the name of a required claim.
// Only string claim keys are supported.
// Mutually exclusive with expression and message.
// +optional
Claim string `json:"claim,omitempty"`
// requiredValue is the value of a required claim.
// Only string claim values are supported.
// If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
// Mutually exclusive with expression and message.
// +optional
RequiredValue string `json:"requiredValue,omitempty"`
// expression represents the expression which will be evaluated by CEL.
// Must produce a boolean.
//
// CEL expressions have access to the contents of the token claims, organized into CEL variable:
// - 'claims' is a map of claim names to claim values.
// For example, a variable named 'sub' can be accessed as 'claims.sub'.
// Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
// Must return true for the validation to pass.
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// Mutually exclusive with claim and requiredValue.
// +optional
Expression string `json:"expression,omitempty"`
// message customizes the returned error message when expression returns false.
// message is a literal string.
// Mutually exclusive with claim and requiredValue.
// +optional
Message string `json:"message,omitempty"`
}
// UserValidationRule provides the configuration for a single user info validation rule.
type UserValidationRule struct {
// expression represents the expression which will be evaluated by CEL.
// Must return true for the validation to pass.
//
// CEL expressions have access to the contents of UserInfo, organized into CEL variable:
// - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
// Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
// API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// +required
Expression string `json:"expression"`
// message customizes the returned error message when rule returns false.
// message is a literal string.
// +optional
Message string `json:"message,omitempty"`
}
// JWTTokenClaims allows customization of the claims that will be mapped to user identity
// for Kubernetes access.
type JWTTokenClaims struct {
// username is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username",
// unless usernameExpression is specified.
//
// Mutually exclusive with usernameExpression. Use either username or usernameExpression to
// determine the user's username from the JWT token.
// +optional
Username string `json:"username"`
// usernameExpression represents an expression which will be evaluated by CEL.
// The expression's result will become the user's username.
//
// usernameExpression is similar to claimMappings.username.expression from Kubernetes AuthenticationConfiguration
// as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
// This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
// must evaluate to the expected type without errors, or else the user's login will fail.
// Additionally, mistakes in this configuration can cause the users to have unintended usernames.
//
// The expression must produce a non-empty string value.
// If the expression uses 'claims.email', then 'claims.email_verified' must be used in
// the expression or extra[*].valueExpression or claimValidationRules[*].expression.
// An example claim validation rule expression that matches the validation automatically
// applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'.
// By explicitly comparing the value to true, we let type-checking see the result will be a boolean,
// and to make sure a non-boolean email_verified claim will be caught at runtime.
//
// CEL expressions have access to the contents of the token claims, organized into CEL variable:
// - 'claims' is a map of claim names to claim values.
// For example, a variable named 'sub' can be accessed as 'claims.sub'.
// Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// Mutually exclusive with username. Use either username or usernameExpression to
// determine the user's username from the JWT token.
// +optional
UsernameExpression string `json:"usernameExpression,omitempty"`
// groups is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups",
// unless groupsExpression is specified.
//
// Mutually exclusive with groupsExpression. Use either groups or groupsExpression to
// determine the user's group membership from the JWT token.
// Groups is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
Groups string `json:"groups"`
// groupsExpression represents an expression which will be evaluated by CEL.
// The expression's result will become the user's group memberships.
//
// groupsExpression is similar to claimMappings.groups.expression from Kubernetes AuthenticationConfiguration
// as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
// This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
// must evaluate to one of the expected types without errors, or else the user's login will fail.
// Additionally, mistakes in this configuration can cause the users to have unintended group memberships.
//
// The expression must produce a string or string array value.
// "", [], and null values are treated as the group mapping not being present.
//
// CEL expressions have access to the contents of the token claims, organized into CEL variable:
// - 'claims' is a map of claim names to claim values.
// For example, a variable named 'sub' can be accessed as 'claims.sub'.
// Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// Mutually exclusive with groups. Use either groups or groupsExpression to
// determine the user's group membership from the JWT token.
// Username is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
GroupsExpression string `json:"groupsExpression,omitempty"`
// extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration
// as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
//
// However, note that the Pinniped Concierge issues client certificates to users for the purpose
// of authenticating, and the Kubernetes API server does not have any mechanism for transmitting
// auth extras via client certificates. When configured, these extras will appear in client
// certificates issued by the Pinniped Supervisor in the x509 Subject field as Organizational
// Units (OU). However, when this client certificate is presented to Kubernetes for authentication,
// Kubernetes will ignore these extras. This is probably only useful if you are using a custom
// authenticating proxy in front of your Kubernetes API server which can translate these OUs into
// auth extras, as described by
// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy.
// This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
// must evaluate to either a string or an array of strings, or else the user's login will fail.
//
// These keys must be a domain-prefixed path (such as "acme.io/foo") and must not contain an equals sign ("=").
//
// expression must produce a string or string array value.
// If the value is empty, the extra mapping will not be present.
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// hard-coded extra key/value
// - key: "acme.io/foo"
// valueExpression: "'bar'"
// This will result in an extra attribute - acme.io/foo: ["bar"]
//
// hard-coded key, value copying claim value
// - key: "acme.io/foo"
// valueExpression: "claims.some_claim"
// This will result in an extra attribute - acme.io/foo: [value of some_claim]
//
// hard-coded key, value derived from claim value
// - key: "acme.io/admin"
// valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
// This will result in:
// - if is_admin claim is present and true, extra attribute - acme.io/admin: ["true"]
// - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
//
// +optional
Extra []ExtraMapping `json:"extra,omitempty"`
}
// ExtraMapping provides the configuration for a single extra mapping.
type ExtraMapping struct {
// key is a string to use as the extra attribute key.
// key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
// subdomain as defined by RFC 1123. All characters trailing the first "/" must
// be valid HTTP Path characters as defined by RFC 3986.
// key must be lowercase.
// Required to be unique.
// Additionally, the key must not contain an equals sign ("=").
// +required
Key string `json:"key"`
// valueExpression is a CEL expression to extract extra attribute value.
// valueExpression must produce a string or string array value.
// "", [], and null values are treated as the extra mapping not being present.
// Empty string values contained within a string array are filtered out.
//
// CEL expressions have access to the contents of the token claims, organized into CEL variable:
// - 'claims' is a map of claim names to claim values.
// For example, a variable named 'sub' can be accessed as 'claims.sub'.
// Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
//
// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
//
// +required
ValueExpression string `json:"valueExpression"`
Username string `json:"username"`
}
// JWTAuthenticator describes the configuration of a JWT authenticator.
@@ -295,14 +86,14 @@ type JWTAuthenticator struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// spec for configuring the authenticator.
// Spec for configuring the authenticator.
Spec JWTAuthenticatorSpec `json:"spec"`
// status of the authenticator.
// Status of the authenticator.
Status JWTAuthenticatorStatus `json:"status,omitempty"`
}
// JWTAuthenticatorList is a list of JWTAuthenticator objects.
// List of JWTAuthenticator objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type JWTAuthenticatorList struct {
metav1.TypeMeta `json:",inline"`

2
apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/config/v1alpha1/doc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
apis/concierge/config/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

20
apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -161,6 +161,24 @@ type ImpersonationProxyServiceSpec struct {
type CredentialIssuerStatus struct {
// List of integration strategies that were attempted by Pinniped.
Strategies []CredentialIssuerStrategy `json:"strategies"`
// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
// This field is deprecated and will be removed in a future version.
// +optional
KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
}
// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
// This type is deprecated and will be removed in a future version.
type CredentialIssuerKubeConfigInfo struct {
// The K8s API server URL.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://|^http://`
Server string `json:"server"`
// The K8s API server CA bundle.
// +kubebuilder:validation:MinLength=1
CertificateAuthorityData string `json:"certificateAuthorityData"`
}
// CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.

2
apis/concierge/identity/doc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
apis/concierge/identity/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package identity

2
apis/concierge/identity/types_userinfo.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package identity

2
apis/concierge/identity/types_whoamirequest.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package identity

2
apis/concierge/identity/v1alpha1/conversion.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/identity/v1alpha1/defaults.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

3
apis/concierge/identity/v1alpha1/doc.go.tmpl
View File

@@ -1,11 +1,10 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/concierge/identity
// +k8s:defaulter-gen=TypeMeta
// +k8s:openapi-model-package=dev.pinniped.apis.concierge.identity.v1alpha1
// +groupName=identity.concierge.pinniped.dev
// Package v1alpha1 is the v1alpha1 version of the Pinniped identity API.

2
apis/concierge/identity/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/identity/v1alpha1/types_userinfo.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/identity/v1alpha1/types_whoamirequest.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/identity/validation/validation.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package validation

2
apis/concierge/login/doc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
apis/concierge/login/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login

2
apis/concierge/login/types_clustercredential.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login

2
apis/concierge/login/types_tokencredentialrequest.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package login

2
apis/concierge/login/v1alpha1/conversion.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/login/v1alpha1/defaults.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

3
apis/concierge/login/v1alpha1/doc.go.tmpl
View File

@@ -1,11 +1,10 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/concierge/login
// +k8s:defaulter-gen=TypeMeta
// +k8s:openapi-model-package=dev.pinniped.apis.concierge.login.v1alpha1
// +groupName=login.concierge.pinniped.dev
// Package v1alpha1 is the v1alpha1 version of the Pinniped login API.

2
apis/concierge/login/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/login/v1alpha1/types_clustercredential.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/concierge/login/v1alpha1/types_tokencredentialrequest.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/clientsecret/doc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
apis/supervisor/clientsecret/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package clientsecret

2
apis/supervisor/clientsecret/types_oidcclientsecretrequest.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package clientsecret

2
apis/supervisor/clientsecret/v1alpha1/conversion.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/clientsecret/v1alpha1/defaults.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

3
apis/supervisor/clientsecret/v1alpha1/doc.go.tmpl
View File

@@ -1,11 +1,10 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=go.pinniped.dev/GENERATED_PKG/apis/supervisor/clientsecret
// +k8s:defaulter-gen=TypeMeta
// +k8s:openapi-model-package=dev.pinniped.apis.supervisor.clientsecret.v1alpha1
// +groupName=clientsecret.supervisor.pinniped.dev
// Package v1alpha1 is the v1alpha1 version of the Pinniped client secret API.

2
apis/supervisor/clientsecret/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/clientsecret/v1alpha1/types_oidcclientsecretrequest.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/config/v1alpha1/doc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
apis/supervisor/config/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

3
apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -209,7 +209,6 @@ type FederationDomainSpec struct {
// See
// https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:XValidation:message="issuer must be an HTTPS URL",rule="isURL(self) && url(self).getScheme() == 'https'"
Issuer string `json:"issuer"`
// TLS specifies a secret which will contain Transport Layer Security (TLS) configuration for the FederationDomain.

2
apis/supervisor/config/v1alpha1/types_oidcclient.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/idp/v1alpha1/doc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
apis/supervisor/idp/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/idp/v1alpha1/types_activedirectoryidentityprovider.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/idp/v1alpha1/types_ldapidentityprovider.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/idp/v1alpha1/types_oidcidentityprovider.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package oidc

46
cmd/pinniped/cmd/audit_id.go
View File

@@ -1,46 +0,0 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"net/http"
"go.pinniped.dev/internal/httputil/roundtripper"
"go.pinniped.dev/internal/plog"
)
type auditIDLoggerFunc func(path string, statusCode int, auditID string)
func logAuditID(path string, statusCode int, auditID string) {
plog.Info("Received auditID for failed request",
"path", path,
"statusCode", statusCode,
"auditID", auditID)
}
func LogAuditIDTransportWrapper(rt http.RoundTripper) http.RoundTripper {
return logAuditIDTransportWrapper(rt, logAuditID)
}
func logAuditIDTransportWrapper(rt http.RoundTripper, auditIDLoggerFunc auditIDLoggerFunc) http.RoundTripper {
return roundtripper.WrapFunc(rt, func(r *http.Request) (*http.Response, error) {
response, responseErr := rt.RoundTrip(r)
if responseErr != nil ||
response == nil ||
response.Header.Get("audit-ID") == "" ||
response.Request == nil ||
response.Request.URL == nil {
return response, responseErr
}
// Use the request path from the response's request, in case the
// original request was modified by any other roudtrippers in the chain.
auditIDLoggerFunc(response.Request.URL.Path,
response.StatusCode,
response.Header.Get("audit-ID"))
return response, responseErr
})
}

116
cmd/pinniped/cmd/audit_id_test.go
View File

@@ -1,116 +0,0 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"errors"
"net/http"
"net/url"
"testing"
"github.com/stretchr/testify/require"
"go.pinniped.dev/internal/httputil/roundtripper"
)
func TestLogAuditIDTransportWrapper(t *testing.T) {
canonicalAuditIdHeaderName := "Audit-Id"
tests := []struct {
name string
response *http.Response
responseErr error
want func(t *testing.T, called func()) auditIDLoggerFunc
wantCalled bool
}{
{
name: "happy HTTP response - no error and no log",
response: &http.Response{ // no headers
StatusCode: http.StatusOK,
Request: &http.Request{
URL: &url.URL{
Path: "some-path-from-response-request",
},
},
},
responseErr: nil,
want: func(t *testing.T, called func()) auditIDLoggerFunc {
return func(_ string, _ int, _ string) {
called()
}
},
wantCalled: false, // make it obvious
},
{
name: "nil HTTP response - no error and no log",
response: nil,
responseErr: nil,
want: func(t *testing.T, called func()) auditIDLoggerFunc {
return func(_ string, _ int, _ string) {
called()
}
},
wantCalled: false, // make it obvious
},
{
name: "err HTTP response - no error and no log",
response: nil,
responseErr: errors.New("some error"),
want: func(t *testing.T, called func()) auditIDLoggerFunc {
return func(_ string, _ int, _ string) {
called()
}
},
wantCalled: false, // make it obvious
},
{
name: "happy HTTP response with audit-ID - logs",
response: &http.Response{
Header: http.Header{
canonicalAuditIdHeaderName: []string{"some-audit-id", "some-other-audit-id-that-will-never-be-seen"},
},
StatusCode: http.StatusBadGateway, // statusCode does not matter
Request: &http.Request{
URL: &url.URL{
Path: "some-path-from-response-request",
},
},
},
want: func(t *testing.T, called func()) auditIDLoggerFunc {
return func(path string, statusCode int, auditID string) {
called()
require.Equal(t, "some-path-from-response-request", path)
require.Equal(t, http.StatusBadGateway, statusCode)
require.Equal(t, "some-audit-id", auditID)
}
},
wantCalled: true, // make it obvious
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
require.NotNil(t, test.want)
mockRequest := &http.Request{
URL: &url.URL{
Path: "should-never-use-this-path",
},
}
var mockRt roundtripper.Func = func(r *http.Request) (*http.Response, error) {
require.Equal(t, mockRequest, r)
return test.response, test.responseErr
}
called := false
subjectRt := logAuditIDTransportWrapper(mockRt, test.want(t, func() {
called = true
}))
actualResponse, err := subjectRt.RoundTrip(mockRequest) //nolint:bodyclose // there is no Body.
require.Equal(t, test.responseErr, err) // This roundtripper only returns mocked errors.
require.Equal(t, test.response, actualResponse)
require.Equal(t, test.wantCalled, called,
"want logFunc to be called: %t, actually was called: %t", test.wantCalled, called)
})
}
}

18
cmd/pinniped/cmd/kube_util.go
View File

@@ -1,36 +1,34 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
"go.pinniped.dev/internal/groupsuffix"
"go.pinniped.dev/internal/kubeclient"
)
// getClientsetsFunc is a function that can return clients for the Concierge and Kubernetes APIs given a
// getConciergeClientsetFunc is a function that can return a clientset for the Concierge API given a
// clientConfig and the apiGroupSuffix with which the API is running.
type getClientsetsFunc func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error)
type getConciergeClientsetFunc func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error)
// getRealClientsets returns real implementations of the Concierge and Kubernetes client interfaces.
func getRealClientsets(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error) {
// getRealConciergeClientset returns a real implementation of a conciergeclientset.Interface.
func getRealConciergeClientset(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
restConfig, err := clientConfig.ClientConfig()
if err != nil {
return nil, nil, nil, err
return nil, err
}
client, err := kubeclient.New(
kubeclient.WithConfig(restConfig),
kubeclient.WithMiddleware(groupsuffix.New(apiGroupSuffix)),
)
if err != nil {
return nil, nil, nil, err
return nil, err
}
return client.PinnipedConcierge, client.Kubernetes, client.Aggregation, nil
return client.PinnipedConcierge, nil
}
// newClientConfig returns a clientcmd.ClientConfig given an optional kubeconfig path override and

178
cmd/pinniped/cmd/kubeconfig.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -20,12 +20,10 @@ import (
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
_ "k8s.io/client-go/plugin/pkg/client/auth" // Adds handlers for various dynamic auth plugins in client-go
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
conciergeconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
@@ -40,7 +38,7 @@ import (
type kubeconfigDeps struct {
getenv func(key string) string
getPathToSelf func() (string, error)
getClientsets getClientsetsFunc
getClientset getConciergeClientsetFunc
log plog.MinLogger
}
@@ -48,7 +46,7 @@ func kubeconfigRealDeps() kubeconfigDeps {
return kubeconfigDeps{
getenv: os.Getenv,
getPathToSelf: os.Executable,
getClientsets: getRealClientsets,
getClientset: getRealConciergeClientset,
log: plog.New(),
}
}
@@ -217,7 +215,7 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
return fmt.Errorf("could not load --kubeconfig/--kubeconfig-context: %w", err)
}
cluster := currentKubeConfig.Clusters[currentKubeconfigNames.ClusterName]
conciergeClient, kubeClient, aggregatorClient, err := deps.getClientsets(clientConfig, flags.concierge.apiGroupSuffix)
clientset, err := deps.getClientset(clientConfig, flags.concierge.apiGroupSuffix)
if err != nil {
return fmt.Errorf("could not configure Kubernetes client: %w", err)
}
@@ -230,15 +228,13 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
}
if !flags.concierge.disabled {
// Look up the Concierge's CredentialIssuer, and optionally wait for it to have no pending strategies showing in its status.
credentialIssuer, err := waitForCredentialIssuer(ctx, conciergeClient, flags, deps)
credentialIssuer, err := waitForCredentialIssuer(ctx, clientset, flags, deps)
if err != nil {
return err
}
// Decide which Concierge authenticator should be used in the resulting kubeconfig.
authenticator, err := lookupAuthenticator(
conciergeClient,
clientset,
flags.concierge.authenticatorType,
flags.concierge.authenticatorName,
deps.log,
@@ -246,15 +242,10 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
if err != nil {
return err
}
// Discover from the CredentialIssuer how the resulting kubeconfig should be configured to talk to this Concierge.
if err := discoverConciergeParams(credentialIssuer, &flags, cluster, deps.log); err != nil {
return err
}
// Discover how the resulting kubeconfig should interact with the selected authenticator.
// For a JWTAuthenticator, this includes discovering how to talk to the OIDC issuer configured in its spec fields.
if err := discoverAuthenticatorParams(ctx, authenticator, &flags, kubeClient, aggregatorClient, deps.log); err != nil {
if err := discoverAuthenticatorParams(authenticator, &flags, deps.log); err != nil {
return err
}
@@ -264,7 +255,6 @@ func runGetKubeconfig(ctx context.Context, out io.Writer, deps kubeconfigDeps, f
}
if len(flags.oidc.issuer) > 0 {
// The OIDC provider may or may not be a Pinniped Supervisor. Find out.
err = pinnipedSupervisorDiscovery(ctx, &flags, deps.log)
if err != nil {
return err
@@ -416,7 +406,10 @@ func waitForCredentialIssuer(ctx context.Context, clientset conciergeclientset.I
deadline, _ := ctx.Deadline()
attempts := 1
for hasPendingStrategy(credentialIssuer) {
for {
if !hasPendingStrategy(credentialIssuer) {
break
}
logStrategies(credentialIssuer, deps.log)
deps.log.Info("waiting for CredentialIssuer pending strategies to finish",
"attempts", attempts,
@@ -495,14 +488,7 @@ func logStrategies(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, l
}
}
func discoverAuthenticatorParams(
ctx context.Context,
authenticator metav1.Object,
flags *getKubeconfigParams,
kubeClient kubernetes.Interface,
aggregatorClient aggregatorclient.Interface,
log plog.MinLogger,
) error {
func discoverAuthenticatorParams(authenticator metav1.Object, flags *getKubeconfigParams, log plog.MinLogger) error {
switch auth := authenticator.(type) {
case *authenticationv1alpha1.WebhookAuthenticator:
// If the --concierge-authenticator-type/--concierge-authenticator-name flags were not set explicitly, set
@@ -534,130 +520,19 @@ func discoverAuthenticatorParams(
}
// If the --oidc-ca-bundle flags was not set explicitly, default it to the
// spec.tls.certificateAuthorityData field of the JWTAuthenticator, if that field is set, or else
// try to discover it from the spec.tls.certificateAuthorityDataSource, if that field is set.
if len(flags.oidc.caBundle) == 0 && auth.Spec.TLS != nil {
err := discoverOIDCCABundle(ctx, auth, flags, kubeClient, aggregatorClient, log)
// spec.tls.certificateAuthorityData field of the JWTAuthenticator.
if len(flags.oidc.caBundle) == 0 && auth.Spec.TLS != nil && auth.Spec.TLS.CertificateAuthorityData != "" {
decoded, err := base64.StdEncoding.DecodeString(auth.Spec.TLS.CertificateAuthorityData)
if err != nil {
return err
return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", auth.Name, err)
}
log.Info("discovered OIDC CA bundle", "roots", countCACerts(decoded))
flags.oidc.caBundle = decoded
}
}
return nil
}
func discoverOIDCCABundle(
ctx context.Context,
jwtAuthenticator *authenticationv1alpha1.JWTAuthenticator,
flags *getKubeconfigParams,
kubeClient kubernetes.Interface,
aggregatorClient aggregatorclient.Interface,
log plog.MinLogger,
) error {
if jwtAuthenticator.Spec.TLS.CertificateAuthorityData != "" {
decodedCABundleData, err := base64.StdEncoding.DecodeString(jwtAuthenticator.Spec.TLS.CertificateAuthorityData)
if err != nil {
return fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s has invalid spec.tls.certificateAuthorityData: %w", jwtAuthenticator.Name, err)
}
log.Info("discovered OIDC CA bundle", "roots", countCACerts(decodedCABundleData))
flags.oidc.caBundle = decodedCABundleData
} else if jwtAuthenticator.Spec.TLS.CertificateAuthorityDataSource != nil {
caBundleData, err := discoverOIDCCABundleFromCertificateAuthorityDataSource(
ctx, jwtAuthenticator, flags.concierge.apiGroupSuffix, kubeClient, aggregatorClient, log)
if err != nil {
return err
}
flags.oidc.caBundle = caBundleData
}
return nil
}
func discoverOIDCCABundleFromCertificateAuthorityDataSource(
ctx context.Context,
jwtAuthenticator *authenticationv1alpha1.JWTAuthenticator,
apiGroupSuffix string,
kubeClient kubernetes.Interface,
aggregatorClient aggregatorclient.Interface,
log plog.MinLogger,
) ([]byte, error) {
conciergeNamespace, err := discoverConciergeNamespace(ctx, apiGroupSuffix, aggregatorClient)
if err != nil {
return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator %s: %w", jwtAuthenticator.Name, err)
}
log.Info("discovered Concierge namespace for API group suffix", "apiGroupSuffix", apiGroupSuffix)
var caBundleData []byte
var keyExisted bool
caSource := jwtAuthenticator.Spec.TLS.CertificateAuthorityDataSource
// Note that the Kind, Name, and Key fields must all be non-empty, and Kind must be Secret or ConfigMap, due to CRD validations.
switch caSource.Kind {
case authenticationv1alpha1.CertificateAuthorityDataSourceKindConfigMap:
caBundleConfigMap, err := kubeClient.CoreV1().ConfigMaps(conciergeNamespace).Get(ctx, caSource.Name, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but encountered error getting %s %s/%s specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource: %w",
caSource.Kind, conciergeNamespace, caSource.Name, jwtAuthenticator.Name, err)
}
var caBundleDataStr string
caBundleDataStr, keyExisted = caBundleConfigMap.Data[caSource.Key]
caBundleData = []byte(caBundleDataStr)
case authenticationv1alpha1.CertificateAuthorityDataSourceKindSecret:
caBundleSecret, err := kubeClient.CoreV1().Secrets(conciergeNamespace).Get(ctx, caSource.Name, metav1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but encountered error getting %s %s/%s specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource: %w",
caSource.Kind, conciergeNamespace, caSource.Name, jwtAuthenticator.Name, err)
}
caBundleData, keyExisted = caBundleSecret.Data[caSource.Key]
default:
return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.Kind value %q is not supported by this CLI version",
jwtAuthenticator.Name, caSource.Kind)
}
if !keyExisted {
return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but key %q specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.key does not exist in %s %s/%s",
caSource.Key, jwtAuthenticator.Name, caSource.Kind, conciergeNamespace, caSource.Name)
}
if len(caBundleData) == 0 {
return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but key %q specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.key exists but has empty value in %s %s/%s",
caSource.Key, jwtAuthenticator.Name, caSource.Kind, conciergeNamespace, caSource.Name)
}
numCACerts := countCACerts(caBundleData)
if numCACerts == 0 {
return nil, fmt.Errorf("tried to autodiscover --oidc-ca-bundle, but value at key %q specified by JWTAuthenticator %s spec.tls.certificateAuthorityDataSource.key does not contain any CA certificates in %s %s/%s",
caSource.Key, jwtAuthenticator.Name, caSource.Kind, conciergeNamespace, caSource.Name)
}
log.Info("discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource", "roots", numCACerts)
return caBundleData, nil
}
func discoverConciergeNamespace(ctx context.Context, apiGroupSuffix string, aggregatorClient aggregatorclient.Interface) (string, error) {
// Let's look for the APIService for the API group of the Concierge's TokenCredentialRequest aggregated API.
apiGroup := "login.concierge." + apiGroupSuffix
// List all APIServices.
apiServiceList, err := aggregatorClient.ApiregistrationV1().APIServices().List(ctx, metav1.ListOptions{})
if err != nil {
return "", fmt.Errorf("error listing APIServices: %w", err)
}
// Find one with the expected API group name.
for _, apiService := range apiServiceList.Items {
if apiService.Spec.Group == apiGroup {
if apiService.Spec.Service.Namespace != "" {
// We are assuming that all API versions (e.g. v1alpha1) of this API group are backed by service(s)
// in the same namespace, which is the namespace of the Concierge hosting this API suffix.
return apiService.Spec.Service.Namespace, nil
}
}
}
// Couldn't find any APIService for the expected API group name which contained a namespace reference in its spec.
return "", fmt.Errorf("could not find APIService with non-empty spec.service.namespace for API group %s", apiGroup)
}
func getConciergeFrontend(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer, mode conciergeModeFlag) (*conciergeconfigv1alpha1.CredentialIssuerFrontend, error) {
for _, strategy := range credentialIssuer.Status.Strategies {
// Skip unhealthy strategies.
@@ -665,15 +540,26 @@ func getConciergeFrontend(credentialIssuer *conciergeconfigv1alpha1.CredentialIs
continue
}
// If the strategy frontend is nil, skip.
// Backfill the .status.strategies[].frontend field from .status.kubeConfigInfo for backwards compatibility.
if strategy.Type == conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType && strategy.Frontend == nil && credentialIssuer.Status.KubeConfigInfo != nil {
strategy = *strategy.DeepCopy()
strategy.Frontend = &conciergeconfigv1alpha1.CredentialIssuerFrontend{
Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
Server: credentialIssuer.Status.KubeConfigInfo.Server,
CertificateAuthorityData: credentialIssuer.Status.KubeConfigInfo.CertificateAuthorityData,
},
}
}
// If the strategy frontend is still nil, skip.
if strategy.Frontend == nil {
continue
}
// Skip any unknown frontend types.
switch strategy.Frontend.Type {
case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
case conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType, conciergeconfigv1alpha1.ImpersonationProxyFrontendType:
default:
continue
}

738
cmd/pinniped/cmd/kubeconfig_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -11,20 +11,15 @@ import (
"os"
"path/filepath"
"slices"
"strings"
"testing"
"time"
"github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/kubernetes"
kubefake "k8s.io/client-go/kubernetes/fake"
kubetesting "k8s.io/client-go/testing"
"k8s.io/client-go/tools/clientcmd"
v1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
aggregatorfake "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/fake"
"k8s.io/utils/ptr"
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
@@ -70,69 +65,14 @@ func TestGetKubeconfig(t *testing.T) {
}
}
caBundleInSecret := func(issuerCABundle, secretName, secretNamespace, secretDataKey string) runtime.Object {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Namespace: secretNamespace,
},
Data: map[string][]byte{
secretDataKey: []byte(issuerCABundle),
"other": []byte("unrelated"),
},
}
}
caBundleInConfigmap := func(issuerCABundle, cmName, cmNamespace, cmDataKey string) runtime.Object {
return &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: cmName,
Namespace: cmNamespace,
},
Data: map[string]string{
cmDataKey: issuerCABundle,
"other": "unrelated",
},
}
}
jwtAuthenticator := func(issuerCABundle, issuerURL string) *authenticationv1alpha1.JWTAuthenticator {
encodedCABundle := ""
if issuerCABundle != "" {
encodedCABundle = base64.StdEncoding.EncodeToString([]byte(issuerCABundle))
}
jwtAuthenticator := func(issuerCABundle string, issuerURL string) runtime.Object {
return &authenticationv1alpha1.JWTAuthenticator{
ObjectMeta: metav1.ObjectMeta{Name: "test-authenticator"},
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
Issuer: issuerURL,
Audience: "test-audience",
TLS: &authenticationv1alpha1.TLSSpec{
CertificateAuthorityData: encodedCABundle,
},
},
}
}
jwtAuthenticatorWithCABundleDataSource := func(sourceKind, sourceName, sourceKey, issuerURL string) runtime.Object {
authenticator := jwtAuthenticator("", issuerURL)
authenticator.Spec.TLS.CertificateAuthorityDataSource = &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{
Kind: authenticationv1alpha1.CertificateAuthorityDataSourceKind(sourceKind),
Name: sourceName,
Key: sourceKey,
}
return authenticator
}
apiService := func(group, version, serviceNamespace string) *v1.APIService {
return &v1.APIService{
ObjectMeta: metav1.ObjectMeta{
Name: version + "." + group,
},
Spec: v1.APIServiceSpec{
Group: group,
Version: version,
Service: &v1.ServiceReference{
Namespace: serviceNamespace,
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(issuerCABundle)),
},
},
}
@@ -205,11 +145,7 @@ func TestGetKubeconfig(t *testing.T) {
getPathToSelfErr error
getClientsetErr error
conciergeObjects func(string, string) []runtime.Object
kubeObjects func(string) []runtime.Object
apiServiceObjects []runtime.Object
conciergeReactions []kubetesting.Reactor
kubeReactions []kubetesting.Reactor
apiServiceReactions []kubetesting.Reactor
oidcDiscoveryResponse func(string) string
oidcDiscoveryStatusCode int
idpsDiscoveryResponse string
@@ -678,18 +614,18 @@ func TestGetKubeconfig(t *testing.T) {
&conciergeconfigv1alpha1.CredentialIssuer{
ObjectMeta: metav1.ObjectMeta{Name: "test-credential-issuer"},
Status: conciergeconfigv1alpha1.CredentialIssuerStatus{
KubeConfigInfo: &conciergeconfigv1alpha1.CredentialIssuerKubeConfigInfo{
Server: "https://concierge-endpoint",
CertificateAuthorityData: "ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==",
},
Strategies: []conciergeconfigv1alpha1.CredentialIssuerStrategy{{
Type: conciergeconfigv1alpha1.KubeClusterSigningCertificateStrategyType,
Status: conciergeconfigv1alpha1.SuccessStrategyStatus,
Reason: conciergeconfigv1alpha1.FetchedKeyStrategyReason,
Message: "Successfully fetched key",
LastUpdateTime: metav1.Now(),
Frontend: &conciergeconfigv1alpha1.CredentialIssuerFrontend{
Type: conciergeconfigv1alpha1.TokenCredentialRequestAPIFrontendType,
TokenCredentialRequestAPIInfo: &conciergeconfigv1alpha1.TokenCredentialRequestAPIInfo{
Server: "https://concierge-endpoint.example.com",
},
},
// Simulate a previous version of CredentialIssuer that's missing this Frontend field.
Frontend: nil,
}},
},
},
@@ -721,321 +657,6 @@ func TestGetKubeconfig(t *testing.T) {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret, but Secret not found",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error getting Secret test-concierge-namespace/my-ca-secret specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource: secrets "my-ca-secret" not found` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in ConfigMap, but ConfigMap not found",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("ConfigMap", "my-ca-configmap", "ca.crt", issuerURL),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error getting ConfigMap test-concierge-namespace/my-ca-configmap specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource: configmaps "my-ca-configmap" not found` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret, but invalid TLS bundle found in Secret",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
kubeObjects: func(issuerCABundle string) []runtime.Object {
return []runtime.Object{
caBundleInSecret("invalid CA bundle data", "my-ca-secret", "test-concierge-namespace", "ca.crt"),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but value at key "ca.crt" specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.key does not contain any CA certificates in Secret test-concierge-namespace/my-ca-secret` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret, but specified key not found in Secret",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
kubeObjects: func(issuerCABundle string) []runtime.Object {
return []runtime.Object{
caBundleInSecret(issuerCABundle, "my-ca-secret", "test-concierge-namespace", "wrong_key_name"),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but key "ca.crt" specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.key does not exist in Secret test-concierge-namespace/my-ca-secret` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret, but specified key has empty value in Secret",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
kubeObjects: func(issuerCABundle string) []runtime.Object {
return []runtime.Object{
caBundleInSecret("", "my-ca-secret", "test-concierge-namespace", "ca.crt"),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1", "test-concierge-namespace"),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but key "ca.crt" specified by JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.key exists but has empty value in Secret test-concierge-namespace/my-ca-secret` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle source, but source's Kind is not supported",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Unsupported-Value", "my-ca-secret", "ca.crt", issuerURL),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator spec.tls.certificateAuthorityDataSource.Kind value "Unsupported-Value" is not supported by this CLI version` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret, but no related APIService found",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
apiServiceObjects: []runtime.Object{
apiService("unrelated.example.com", "v1alpha1", "test-concierge-namespace"),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator test-authenticator: could not find APIService with non-empty spec.service.namespace for API group login.concierge.pinniped.dev` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret, but related APIService has empty namespace in spec",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", ""),
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator test-authenticator: could not find APIService with non-empty spec.service.namespace for API group login.concierge.pinniped.dev` + "\n")
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret, but error when listing APIServices",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
apiServiceReactions: []kubetesting.Reactor{
&kubetesting.SimpleReactor{
Verb: "*",
Resource: "apiservices",
Reaction: func(kubetesting.Action) (bool, runtime.Object, error) {
return true, nil, fmt.Errorf("some list error")
},
},
},
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but encountered error discovering namespace of Concierge for JWTAuthenticator test-authenticator: error listing APIServices: some list error` + "\n")
},
},
{
name: "autodetect JWT authenticator, invalid substring in audience",
args: func(issuerCABundle string, issuerURL string) []string {
@@ -1246,7 +867,7 @@ func TestGetKubeconfig(t *testing.T) {
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantSprintfErrorString(
"Error: while fetching OIDC discovery data from issuer: oidc: issuer URL provided to client (\"%s\") did not match the issuer URL returned by provider (\"https://wrong-issuer.com\")\n",
"Error: while fetching OIDC discovery data from issuer: oidc: issuer did not match the issuer returned by provider, expected \"%s\" got \"https://wrong-issuer.com\"\n",
issuerURL)
},
},
@@ -1749,6 +1370,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -1818,6 +1440,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -1881,6 +1504,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -1947,6 +1571,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -1976,254 +1601,6 @@ func TestGetKubeconfig(t *testing.T) {
base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
},
},
{
name: "autodetect JWT authenticator with CA bundle in Secret",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
"--skip-validation",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("Secret", "my-ca-secret", "ca.crt", issuerURL),
}
},
kubeObjects: func(issuerCABundle string) []runtime.Object {
return []runtime.Object{
caBundleInSecret(issuerCABundle, "my-ca-secret", "test-concierge-namespace", "ca.crt"),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
apiService("unrelated.pinniped.dev", "v1alpha1", "unrelated-namespace"),
apiService("login.concierge.pinniped.dev", "v1alpha2", "test-concierge-namespace"),
},
oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource {"roots": 1}`,
}
},
wantStdout: func(issuerCABundle string, issuerURL string) string {
return here.Docf(`
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
server: https://fake-server-url-value
name: kind-cluster-pinniped
contexts:
- context:
cluster: kind-cluster-pinniped
user: kind-user-pinniped
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
users:
- name: kind-user-pinniped
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- login
- oidc
- --enable-concierge
- --concierge-api-group-suffix=pinniped.dev
- --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=jwt
- --concierge-endpoint=https://fake-server-url-value
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
- --issuer=%s
- --client-id=pinniped-cli
- --scopes=offline_access,openid,pinniped:request-audience,username,groups
- --ca-bundle-data=%s
- --request-audience=test-audience
command: '.../path/to/pinniped'
env: []
installHint: The pinniped CLI does not appear to be installed. See https://get.pinniped.dev/cli
for more details
provideClusterInfo: true
`,
issuerURL,
base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
},
},
{
name: "autodetect JWT authenticator with CA bundle in ConfigMap",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
"--skip-validation",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("ConfigMap", "my-ca-configmap", "ca.crt", issuerURL),
}
},
kubeObjects: func(issuerCABundle string) []runtime.Object {
return []runtime.Object{
caBundleInConfigmap(issuerCABundle, "my-ca-configmap", "test-concierge-namespace", "ca.crt"),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.pinniped.dev", "v1alpha1", "test-concierge-namespace"),
apiService("unrelated.pinniped.dev", "v1alpha1", "unrelated-namespace"),
apiService("login.concierge.pinniped.dev", "v1alpha2", "test-concierge-namespace"),
},
oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "pinniped.dev"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource {"roots": 1}`,
}
},
wantStdout: func(issuerCABundle string, issuerURL string) string {
return here.Docf(`
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
server: https://fake-server-url-value
name: kind-cluster-pinniped
contexts:
- context:
cluster: kind-cluster-pinniped
user: kind-user-pinniped
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
users:
- name: kind-user-pinniped
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- login
- oidc
- --enable-concierge
- --concierge-api-group-suffix=pinniped.dev
- --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=jwt
- --concierge-endpoint=https://fake-server-url-value
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
- --issuer=%s
- --client-id=pinniped-cli
- --scopes=offline_access,openid,pinniped:request-audience,username,groups
- --ca-bundle-data=%s
- --request-audience=test-audience
command: '.../path/to/pinniped'
env: []
installHint: The pinniped CLI does not appear to be installed. See https://get.pinniped.dev/cli
for more details
provideClusterInfo: true
`,
issuerURL,
base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
},
},
{
name: "autodetect JWT authenticator with CA bundle in ConfigMap with a custom API group suffix",
args: func(issuerCABundle string, issuerURL string) []string {
return []string{
"--kubeconfig", "./testdata/kubeconfig.yaml",
"--concierge-api-group-suffix=acme.com",
"--skip-validation",
}
},
conciergeObjects: func(issuerCABundle string, issuerURL string) []runtime.Object {
return []runtime.Object{
credentialIssuer(),
jwtAuthenticatorWithCABundleDataSource("ConfigMap", "my-ca-configmap", "ca.crt", issuerURL),
}
},
kubeObjects: func(issuerCABundle string) []runtime.Object {
return []runtime.Object{
caBundleInConfigmap(issuerCABundle, "my-ca-configmap", "test-concierge-namespace", "ca.crt"),
}
},
apiServiceObjects: []runtime.Object{
apiService("login.concierge.acme.com", "v1alpha1", "test-concierge-namespace"),
apiService("unrelated.pinniped.dev", "v1alpha1", "unrelated-namespace"),
apiService("login.concierge.pinniped.dev", "v1alpha2", "another-unrelated-namespace"),
},
oidcDiscoveryResponse: onlyIssuerOIDCDiscoveryResponse,
wantLogs: func(issuerCABundle string, issuerURL string) []string {
return []string{
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered CredentialIssuer {"name": "test-credential-issuer"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge operating in TokenCredentialRequest API mode`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge endpoint {"endpoint": "https://fake-server-url-value"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge certificate authority bundle {"roots": 0}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered JWTAuthenticator {"name": "test-authenticator"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC issuer {"issuer": "` + issuerURL + `"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC audience {"audience": "test-audience"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered Concierge namespace for API group suffix {"apiGroupSuffix": "acme.com"}`,
`2099-08-08T13:57:36.123456Z info cmd/kubeconfig.go:<line> discovered OIDC CA bundle from JWTAuthenticator spec.tls.certificateAuthorityDataSource {"roots": 1}`,
}
},
wantAPIGroupSuffix: "acme.com",
wantStdout: func(issuerCABundle string, issuerURL string) string {
return here.Docf(`
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
server: https://fake-server-url-value
name: kind-cluster-pinniped
contexts:
- context:
cluster: kind-cluster-pinniped
user: kind-user-pinniped
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
users:
- name: kind-user-pinniped
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- login
- oidc
- --enable-concierge
- --concierge-api-group-suffix=acme.com
- --concierge-authenticator-name=test-authenticator
- --concierge-authenticator-type=jwt
- --concierge-endpoint=https://fake-server-url-value
- --concierge-ca-bundle-data=ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ==
- --issuer=%s
- --client-id=pinniped-cli
- --scopes=offline_access,openid,pinniped:request-audience,username,groups
- --ca-bundle-data=%s
- --request-audience=test-audience
command: '.../path/to/pinniped'
env: []
installHint: The pinniped CLI does not appear to be installed. See https://get.pinniped.dev/cli
for more details
provideClusterInfo: true
`,
issuerURL,
base64.StdEncoding.EncodeToString([]byte(issuerCABundle)))
},
},
{
name: "autodetect nothing, set a bunch of options",
args: func(issuerCABundle string, issuerURL string) []string {
@@ -2274,6 +1651,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-sso
current-context: kind-context-sso
kind: Config
preferences: {}
users:
- name: kind-user-sso
user:
@@ -2392,6 +1770,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -2500,6 +1879,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -2576,6 +1956,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -2654,6 +2035,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -2730,6 +2112,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -2802,6 +2185,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -2881,6 +2265,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -2967,6 +2352,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3054,6 +2440,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3141,6 +2528,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3218,6 +2606,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3300,6 +2689,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3365,6 +2755,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3425,6 +2816,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3485,6 +2877,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3546,6 +2939,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3607,6 +3001,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3667,6 +3062,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3726,6 +3122,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3791,6 +3188,7 @@ func TestGetKubeconfig(t *testing.T) {
name: kind-context-pinniped
current-context: kind-context-pinniped
kind: Config
preferences: {}
users:
- name: kind-user-pinniped
user:
@@ -3814,7 +3212,6 @@ func TestGetKubeconfig(t *testing.T) {
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var issuerEndpointPtr *string
@@ -3849,40 +3246,6 @@ func TestGetKubeconfig(t *testing.T) {
}), nil)
issuerEndpointPtr = ptr.To(testServer.URL)
getClientsetFunc := func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error) {
if tt.wantAPIGroupSuffix == "" {
require.Equal(t, "pinniped.dev", apiGroupSuffix) // "pinniped.dev" = api group suffix default
} else {
require.Equal(t, tt.wantAPIGroupSuffix, apiGroupSuffix)
}
if tt.getClientsetErr != nil {
return nil, nil, nil, tt.getClientsetErr
}
//nolint:staticcheck // as of v0.35.0, this package does not offer a NewClientset() function
fakeAggregatorClient := aggregatorfake.NewSimpleClientset(tt.apiServiceObjects...)
fakeKubeClient := kubefake.NewClientset()
if tt.kubeObjects != nil {
kubeObjects := tt.kubeObjects(string(testServerCA))
fakeKubeClient = kubefake.NewClientset(kubeObjects...)
}
//nolint:staticcheck // our codegen does not yet generate a NewClientset() function
fakeConciergeClient := conciergefake.NewSimpleClientset()
if tt.conciergeObjects != nil {
//nolint:staticcheck // our codegen does not yet generate a NewClientset() function
fakeConciergeClient = conciergefake.NewSimpleClientset(tt.conciergeObjects(string(testServerCA), testServer.URL)...)
}
if len(tt.conciergeReactions) > 0 {
fakeConciergeClient.ReactionChain = slices.Concat(tt.conciergeReactions, fakeConciergeClient.ReactionChain)
}
if len(tt.kubeReactions) > 0 {
fakeKubeClient.ReactionChain = slices.Concat(tt.kubeReactions, fakeKubeClient.ReactionChain)
}
if len(tt.apiServiceReactions) > 0 {
fakeAggregatorClient.ReactionChain = slices.Concat(tt.apiServiceReactions, fakeAggregatorClient.ReactionChain)
}
return fakeConciergeClient, fakeKubeClient, fakeAggregatorClient, nil
}
var log bytes.Buffer
cmd := kubeconfigCommand(kubeconfigDeps{
@@ -3895,8 +3258,25 @@ func TestGetKubeconfig(t *testing.T) {
}
return ".../path/to/pinniped", nil
},
getClientsets: getClientsetFunc,
log: plog.TestConsoleLogger(t, &log),
getClientset: func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
if tt.wantAPIGroupSuffix == "" {
require.Equal(t, "pinniped.dev", apiGroupSuffix) // "pinniped.dev" = api group suffix default
} else {
require.Equal(t, tt.wantAPIGroupSuffix, apiGroupSuffix)
}
if tt.getClientsetErr != nil {
return nil, tt.getClientsetErr
}
fake := conciergefake.NewSimpleClientset()
if tt.conciergeObjects != nil {
fake = conciergefake.NewSimpleClientset(tt.conciergeObjects(string(testServerCA), testServer.URL)...)
}
if len(tt.conciergeReactions) > 0 {
fake.ReactionChain = slices.Concat(tt.conciergeReactions, fake.ReactionChain)
}
return fake, nil
},
log: plog.TestConsoleLogger(t, &log),
})
require.NotNil(t, cmd)
@@ -3913,10 +3293,14 @@ func TestGetKubeconfig(t *testing.T) {
require.NoError(t, err)
}
var expectedLogs string
if tt.wantLogs != nil {
wantLogs := tt.wantLogs(string(testServerCA), testServer.URL)
testutil.RequireLogLines(t, wantLogs, &log)
temp := tt.wantLogs(string(testServerCA), testServer.URL)
if len(temp) > 0 {
expectedLogs = strings.Join(tt.wantLogs(string(testServerCA), testServer.URL), "\n") + "\n"
}
}
require.Equal(t, expectedLogs, log.String())
expectedStdout := ""
if tt.wantStdout != nil {

1
cmd/pinniped/cmd/login_oidc.go
View File

@@ -224,7 +224,6 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
conciergeclient.WithTransportWrapper(LogAuditIDTransportWrapper),
)
if err != nil {
return fmt.Errorf("invalid Concierge parameters: %w", err)

12
cmd/pinniped/cmd/login_oidc_test.go
View File

@@ -274,8 +274,8 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
wantLogs: []string{
nowStr + ` cmd/login_oidc.go:268 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` cmd/login_oidc.go:288 No concierge configured, skipping token credential exchange`,
nowStr + ` cmd/login_oidc.go:267 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` cmd/login_oidc.go:287 No concierge configured, skipping token credential exchange`,
},
},
{
@@ -319,10 +319,10 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 12,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
wantLogs: []string{
nowStr + ` cmd/login_oidc.go:268 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` cmd/login_oidc.go:278 Exchanging token for cluster credential {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` cmd/login_oidc.go:286 Successfully exchanged token for cluster credential.`,
nowStr + ` cmd/login_oidc.go:293 caching cluster credential for future use.`,
nowStr + ` cmd/login_oidc.go:267 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` cmd/login_oidc.go:277 Exchanging token for cluster credential {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` cmd/login_oidc.go:285 Successfully exchanged token for cluster credential.`,
nowStr + ` cmd/login_oidc.go:292 caching cluster credential for future use.`,
},
},
}

1
cmd/pinniped/cmd/login_static.go
View File

@@ -113,7 +113,6 @@ func runStaticLogin(cmd *cobra.Command, deps staticLoginDeps, flags staticLoginP
conciergeclient.WithBase64CABundle(flags.conciergeCABundle),
conciergeclient.WithAuthenticator(flags.conciergeAuthenticatorType, flags.conciergeAuthenticatorName),
conciergeclient.WithAPIGroupSuffix(flags.conciergeAPIGroupSuffix),
conciergeclient.WithTransportWrapper(LogAuditIDTransportWrapper),
)
if err != nil {
return fmt.Errorf("invalid Concierge parameters: %w", err)

2
cmd/pinniped/cmd/login_static_test.go
View File

@@ -147,7 +147,7 @@ func TestLoginStaticCommand(t *testing.T) {
Error: could not complete Concierge credential exchange: some concierge error
`),
wantLogs: []string{
nowStr + ` cmd/login_static.go:160 exchanging static token for cluster credential {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` cmd/login_static.go:159 exchanging static token for cluster credential {"endpoint": "https://127.0.0.1/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
},
},
{

14
cmd/pinniped/cmd/whoami.go
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -25,14 +25,14 @@ import (
)
type whoamiDeps struct {
getenv func(key string) string
getClientsets getClientsetsFunc
getenv func(key string) string
getClientset getConciergeClientsetFunc
}
func whoamiRealDeps() whoamiDeps {
return whoamiDeps{
getenv: os.Getenv,
getClientsets: getRealClientsets,
getenv: os.Getenv,
getClientset: getRealConciergeClientset,
}
}
@@ -82,7 +82,7 @@ func newWhoamiCommand(deps whoamiDeps) *cobra.Command {
func runWhoami(output io.Writer, deps whoamiDeps, flags *whoamiFlags) error {
clientConfig := newClientConfig(flags.kubeconfigPath, flags.kubeconfigContextOverride)
conciergeClient, _, _, err := deps.getClientsets(clientConfig, flags.apiGroupSuffix)
clientset, err := deps.getClientset(clientConfig, flags.apiGroupSuffix)
if err != nil {
return fmt.Errorf("could not configure Kubernetes client: %w", err)
}
@@ -108,7 +108,7 @@ func runWhoami(output io.Writer, deps whoamiDeps, flags *whoamiFlags) error {
defer cancelFunc()
}
whoAmI, err := conciergeClient.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
whoAmI, err := clientset.IdentityV1alpha1().WhoAmIRequests().Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
if err != nil {
hint := ""
if apierrors.IsNotFound(err) {

33
cmd/pinniped/cmd/whoami_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -11,10 +11,8 @@ import (
"github.com/stretchr/testify/require"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/kubernetes"
kubetesting "k8s.io/client-go/testing"
"k8s.io/client-go/tools/clientcmd"
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
@@ -130,7 +128,9 @@ func TestWhoami(t *testing.T) {
{
"kind": "WhoAmIRequest",
"apiVersion": "identity.concierge.pinniped.dev/v1alpha1",
"metadata": {},
"metadata": {
"creationTimestamp": null
},
"spec": {},
"status": {
"kubernetesUserInfo": {
@@ -152,7 +152,9 @@ func TestWhoami(t *testing.T) {
{
"kind": "WhoAmIRequest",
"apiVersion": "identity.concierge.tuna.io/v1alpha1",
"metadata": {},
"metadata": {
"creationTimestamp": null
},
"spec": {},
"status": {
"kubernetesUserInfo": {
@@ -173,7 +175,8 @@ func TestWhoami(t *testing.T) {
wantStdout: here.Doc(`
apiVersion: identity.concierge.pinniped.dev/v1alpha1
kind: WhoAmIRequest
metadata: {}
metadata:
creationTimestamp: null
spec: {}
status:
kubernetesUserInfo:
@@ -190,7 +193,8 @@ func TestWhoami(t *testing.T) {
wantStdout: here.Doc(`
apiVersion: identity.concierge.tuna.io/v1alpha1
kind: WhoAmIRequest
metadata: {}
metadata:
creationTimestamp: null
spec: {}
status:
kubernetesUserInfo:
@@ -286,16 +290,14 @@ func TestWhoami(t *testing.T) {
wantStderr: "Error: could not complete WhoAmIRequest (is the Pinniped WhoAmI API running and healthy?): whoamirequests.identity.concierge.pinniped.dev \"whatever\" not found\n",
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
getClientsetFunc := func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, kubernetes.Interface, aggregatorclient.Interface, error) {
getClientset := func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
if test.gettingClientsetErr != nil {
return nil, nil, nil, test.gettingClientsetErr
return nil, test.gettingClientsetErr
}
//nolint:staticcheck // our codegen does not yet generate a NewClientset() function
conciergeClient := conciergefake.NewSimpleClientset()
conciergeClient.PrependReactor("create", "whoamirequests", func(_ kubetesting.Action) (bool, runtime.Object, error) {
clientset := conciergefake.NewSimpleClientset()
clientset.PrependReactor("create", "whoamirequests", func(_ kubetesting.Action) (bool, runtime.Object, error) {
if test.callingAPIErr != nil {
return true, nil, test.callingAPIErr
}
@@ -314,14 +316,13 @@ func TestWhoami(t *testing.T) {
},
}, nil
})
return conciergeClient, nil, nil, nil
return clientset, nil
}
cmd := newWhoamiCommand(whoamiDeps{
getenv: func(key string) string {
return test.env[key]
},
getClientsets: getClientsetFunc,
getClientset: getClientset,
})
stdout, stderr := bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{})

239
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev
@@ -58,219 +58,37 @@ spec:
metadata:
type: object
spec:
description: spec for configuring the authenticator.
description: Spec for configuring the authenticator.
properties:
audience:
description: audience is the required value of the "aud" JWT claim.
description: Audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
claimValidationRules:
description: |-
claimValidationRules are rules that are applied to validate token claims to authenticate users.
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, mistakes in this
configuration will cause the user's login to fail.
items:
description: ClaimValidationRule provides the configuration for
a single claim validation rule.
properties:
claim:
description: |-
claim is the name of a required claim.
Only string claim keys are supported.
Mutually exclusive with expression and message.
type: string
expression:
description: |-
expression represents the expression which will be evaluated by CEL.
Must produce a boolean.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Must return true for the validation to pass.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Mutually exclusive with claim and requiredValue.
type: string
message:
description: |-
message customizes the returned error message when expression returns false.
message is a literal string.
Mutually exclusive with claim and requiredValue.
type: string
requiredValue:
description: |-
requiredValue is the value of a required claim.
Only string claim values are supported.
If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
Mutually exclusive with expression and message.
type: string
type: object
type: array
claims:
description: |-
claims allows customization of the claims that will be mapped to user identity
Claims allows customization of the claims that will be mapped to user identity
for Kubernetes access.
properties:
extra:
description: |-
extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration
as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
However, note that the Pinniped Concierge issues client certificates to users for the purpose
of authenticating, and the Kubernetes API server does not have any mechanism for transmitting
auth extras via client certificates. When configured, these extras will appear in client
certificates issued by the Pinniped Supervisor in the x509 Subject field as Organizational
Units (OU). However, when this client certificate is presented to Kubernetes for authentication,
Kubernetes will ignore these extras. This is probably only useful if you are using a custom
authenticating proxy in front of your Kubernetes API server which can translate these OUs into
auth extras, as described by
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy.
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
must evaluate to either a string or an array of strings, or else the user's login will fail.
These keys must be a domain-prefixed path (such as "acme.io/foo") and must not contain an equals sign ("=").
expression must produce a string or string array value.
If the value is empty, the extra mapping will not be present.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
hard-coded extra key/value
- key: "acme.io/foo"
valueExpression: "'bar'"
This will result in an extra attribute - acme.io/foo: ["bar"]
hard-coded key, value copying claim value
- key: "acme.io/foo"
valueExpression: "claims.some_claim"
This will result in an extra attribute - acme.io/foo: [value of some_claim]
hard-coded key, value derived from claim value
- key: "acme.io/admin"
valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
This will result in:
- if is_admin claim is present and true, extra attribute - acme.io/admin: ["true"]
- if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
items:
description: ExtraMapping provides the configuration for a single
extra mapping.
properties:
key:
description: |-
key is a string to use as the extra attribute key.
key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
subdomain as defined by RFC 1123. All characters trailing the first "/" must
be valid HTTP Path characters as defined by RFC 3986.
key must be lowercase.
Required to be unique.
Additionally, the key must not contain an equals sign ("=").
type: string
valueExpression:
description: |-
valueExpression is a CEL expression to extract extra attribute value.
valueExpression must produce a string or string array value.
"", [], and null values are treated as the extra mapping not being present.
Empty string values contained within a string array are filtered out.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
type: string
required:
- key
- valueExpression
type: object
type: array
groups:
description: |-
groups is the name of the claim which should be read to extract the user's
group membership from the JWT token. When not specified, it will default to "groups",
unless groupsExpression is specified.
Mutually exclusive with groupsExpression. Use either groups or groupsExpression to
determine the user's group membership from the JWT token.
type: string
groupsExpression:
description: |-
groupsExpression represents an expression which will be evaluated by CEL.
The expression's result will become the user's group memberships.
groupsExpression is similar to claimMappings.groups.expression from Kubernetes AuthenticationConfiguration
as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
must evaluate to one of the expected types without errors, or else the user's login will fail.
Additionally, mistakes in this configuration can cause the users to have unintended group memberships.
The expression must produce a string or string array value.
"", [], and null values are treated as the group mapping not being present.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Mutually exclusive with groups. Use either groups or groupsExpression to
determine the user's group membership from the JWT token.
Groups is the name of the claim which should be read to extract the user's
group membership from the JWT token. When not specified, it will default to "groups".
type: string
username:
description: |-
username is the name of the claim which should be read to extract the
username from the JWT token. When not specified, it will default to "username",
unless usernameExpression is specified.
Mutually exclusive with usernameExpression. Use either username or usernameExpression to
determine the user's username from the JWT token.
type: string
usernameExpression:
description: |-
usernameExpression represents an expression which will be evaluated by CEL.
The expression's result will become the user's username.
usernameExpression is similar to claimMappings.username.expression from Kubernetes AuthenticationConfiguration
as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
must evaluate to the expected type without errors, or else the user's login will fail.
Additionally, mistakes in this configuration can cause the users to have unintended usernames.
The expression must produce a non-empty string value.
If the expression uses 'claims.email', then 'claims.email_verified' must be used in
the expression or extra[*].valueExpression or claimValidationRules[*].expression.
An example claim validation rule expression that matches the validation automatically
applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'.
By explicitly comparing the value to true, we let type-checking see the result will be a boolean,
and to make sure a non-boolean email_verified claim will be caught at runtime.
CEL expressions have access to the contents of the token claims, organized into CEL variable:
- 'claims' is a map of claim names to claim values.
For example, a variable named 'sub' can be accessed as 'claims.sub'.
Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Mutually exclusive with username. Use either username or usernameExpression to
determine the user's username from the JWT token.
Username is the name of the claim which should be read to extract the
username from the JWT token. When not specified, it will default to "username".
type: string
type: object
issuer:
description: |-
issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
also used to validate the "iss" JWT claim.
minLength: 1
pattern: ^https://
type: string
tls:
description: tls is the configuration for communicating with the OIDC
provider via TLS.
description: TLS configuration for communicating with the OIDC provider.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
@@ -310,47 +128,12 @@ spec:
- name
type: object
type: object
userValidationRules:
description: |-
userValidationRules are rules that are applied to final user before completing authentication.
These allow invariants to be applied to incoming identities such as preventing the
use of the system: prefix that is commonly used by Kubernetes components.
The validation rules are logically ANDed together and must all return true for the validation to pass.
This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
https://kubernetes.io/docs/reference/access-authn-authz/authentication.
This is an advanced configuration option. During an end-user login flow, mistakes in this
configuration will cause the user's login to fail.
items:
description: UserValidationRule provides the configuration for a
single user info validation rule.
properties:
expression:
description: |-
expression represents the expression which will be evaluated by CEL.
Must return true for the validation to pass.
CEL expressions have access to the contents of UserInfo, organized into CEL variable:
- 'user' - authentication.k8s.io/v1, Kind=UserInfo object
Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
type: string
message:
description: |-
message customizes the returned error message when rule returns false.
message is a literal string.
type: string
required:
- expression
type: object
type: array
required:
- audience
- issuer
type: object
status:
description: status of the authenticator.
description: Status of the authenticator.
properties:
conditions:
description: Represents the observations of the authenticator's current

2
deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

20
deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev
@@ -134,6 +134,24 @@ spec:
status:
description: CredentialIssuerStatus describes the status of the Concierge.
properties:
kubeConfigInfo:
description: |-
Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
This field is deprecated and will be removed in a future version.
properties:
certificateAuthorityData:
description: The K8s API server CA bundle.
minLength: 1
type: string
server:
description: The K8s API server URL.
minLength: 1
pattern: ^https://|^http://
type: string
required:
- certificateAuthorityData
- server
type: object
strategies:
description: List of integration strategies that were attempted by
Pinniped.

21
deploy/concierge/deployment.yaml
View File

@@ -1,18 +1,9 @@
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
#@ load("@ytt:json", "json")
#@ load("helpers.lib.yaml",
#@ "defaultLabel",
#@ "labels",
#@ "deploymentPodLabel",
#@ "namespace",
#@ "defaultResourceName",
#@ "defaultResourceNameWithSuffix",
#@ "getAndValidateLogLevel",
#@ "pinnipedDevAPIGroupWithPrefix",
#@ )
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix")
#@ load("@ytt:template", "template")
#@ if not data.values.into_namespace:
@@ -77,7 +68,6 @@ data:
apiGroupSuffix: (@= data.values.api_group_suffix @)
# aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated
# impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated
aggregatedAPIServerDisableAdmissionPlugins: []
names:
servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
@@ -93,7 +83,6 @@ data:
labels: (@= json.encode(labels()).rstrip() @)
kubeCertAgent:
namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
priorityClassName: (@= data.values.kube_cert_agent_priority_class_name @)
(@ if data.values.kube_cert_agent_image: @)
image: (@= data.values.kube_cert_agent_image @)
(@ else: @)
@@ -105,17 +94,15 @@ data:
(@ end @)
(@ if data.values.image_pull_dockerconfigjson: @)
imagePullSecrets:
- image-pull-secret
- image-pull-secret
(@ end @)
(@ if data.values.log_level: @)
log:
level: (@= getAndValidateLogLevel() @)
(@ end @)
(@ end @)
tls:
onedottwo:
allowedCiphers: (@= str(data.values.allowed_ciphers_for_tls_onedottwo) @)
audit:
logUsernamesAndGroups: (@= data.values.audit.log_usernames_and_groups @)
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1

2
deploy/concierge/helpers.lib.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")

31
deploy/concierge/values.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ def validate_strings_map(obj):
@@ -52,7 +52,7 @@ replicas: 2
#@schema/title "Image repo"
#@schema/desc "The repository for the Concierge container image."
#@schema/validation min_len=1
image_repo: ghcr.io/vmware/pinniped/pinniped-server
image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
#@schema/title "Image digest"
#@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
@@ -68,24 +68,15 @@ image_digest: ""
image_tag: latest
#@schema/title "Kube Cert Agent image"
#@ kube_cert_agent_image_desc = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
#@ kube_cert_agent_image = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
#@schema/desc kube_cert_agent_image_desc
#@schema/examples ("Image including tag or digest", "ghcr.io/vmware/pinniped/pinniped-server:latest")
#@schema/desc kube_cert_agent_image
#@schema/examples ("Image including tag or digest", "ghcr.io/vmware-tanzu/pinniped/pinniped-server:latest")
#@schema/nullable
#@schema/validation min_len=1
kube_cert_agent_image: ""
#@schema/title "Kube Cert Agent Priority Class Name"
#@ kube_cert_agent_priority_class_name_desc = "Optionally specify a PriorityClassName for the 'kube-cert-agent' pod. \
#@ See https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ for more details. \
#@ By default, this is the empty string."
#@schema/desc kube_cert_agent_priority_class_name_desc
#@schema/examples ("name of a PriorityClass object", "high-priority")
#@schema/validation min_len=0
kube_cert_agent_priority_class_name: ""
#@schema/title "Image pull dockerconfigjson"
#@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
#@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
@@ -240,15 +231,3 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
#! An empty array is perfectly valid, as is any array of strings.
allowed_ciphers_for_tls_onedottwo:
- ""
#@schema/title "Audit logging configuration"
#@schema/desc "Customize the content of audit log events."
audit:
#@schema/title "Log usernames and groups"
#@ log_usernames_and_groups_desc = "Enables or disables printing usernames and group names in audit logs. Options are 'enabled' or 'disabled'. \
#@ If enabled, usernames are group names may be printed in audit log events. \
#@ If disabled, usernames and group names will be redacted from audit logs because they might contain personally identifiable information."
#@schema/desc log_usernames_and_groups_desc
#@schema/validation one_of=["enabled", "disabled"]
log_usernames_and_groups: disabled

2
deploy/local-user-authenticator/README.md
View File

@@ -20,7 +20,7 @@ kubectl apply -f https://get.pinniped.dev/latest/install-local-user-authenticato
## Installing a Specific Version with Default Options
Choose your preferred [release](https://github.com/vmware/pinniped/releases) version number
Choose your preferred [release](https://github.com/vmware-tanzu/pinniped/releases) version number
and use it to replace the version number in the URL below.
```bash

4
deploy/local-user-authenticator/values.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@data/values-schema
@@ -6,7 +6,7 @@
#@schema/title "Image repo"
#@schema/desc "The repository for the local-user-authenticator container image."
#@schema/validation min_len=1
image_repo: ghcr.io/vmware/pinniped/pinniped-server
image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
#@schema/title "Image digest"
#@schema/desc "The image digest for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used."

5
deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev
@@ -289,9 +289,6 @@ spec:
https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
minLength: 1
type: string
x-kubernetes-validations:
- message: issuer must be an HTTPS URL
rule: isURL(self) && url(self).getScheme() == 'https'
tls:
description: TLS specifies a secret which will contain Transport Layer
Security (TLS) configuration for the FederationDomain.

2
deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

4
deploy/supervisor/deployment.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
@@ -13,7 +13,7 @@
#@ "pinnipedDevAPIGroupWithPrefix",
#@ "getPinnipedConfigMapData",
#@ "hasUnixNetworkEndpoint",
#@ )
#@ )
#@ load("@ytt:template", "template")
#@ if not data.values.into_namespace:

9
deploy/supervisor/helpers.lib.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
@@ -57,12 +57,7 @@ _: #@ template.replace(data.values.custom_labels)
#@ "onedottwo": {
#@ "allowedCiphers": data.values.allowed_ciphers_for_tls_onedottwo
#@ }
#@ },
#@ "audit": {
#@ "logUsernamesAndGroups": data.values.audit.log_usernames_and_groups,
#@ "logInternalPaths": data.values.audit.log_internal_paths
#@ },
#@ "aggregatedAPIServerDisableAdmissionPlugins": []
#@ }
#@ }
#@ if data.values.log_level:
#@ config["log"] = {}

2
deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.16.5
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

24
deploy/supervisor/values.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ def validate_strings_map(obj):
@@ -52,7 +52,7 @@ replicas: 2
#@schema/title "Image repo"
#@schema/desc "The repository for the Supervisor container image."
#@schema/validation min_len=1
image_repo: ghcr.io/vmware/pinniped/pinniped-server
image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
#@schema/title "Image digest"
#@schema/desc "The image digest for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."
@@ -220,23 +220,3 @@ endpoints: { }
#! An empty array is perfectly valid, as is any array of strings.
allowed_ciphers_for_tls_onedottwo:
- ""
#@schema/title "Audit logging configuration"
#@schema/desc "Customize the content of audit log events."
audit:
#@schema/title "Log usernames and groups"
#@ log_usernames_and_groups_desc = "Enables or disables printing usernames and group names in audit logs. Options are 'enabled' or 'disabled'. \
#@ If enabled, usernames are group names may be printed in audit log events. \
#@ If disabled, usernames and group names will be redacted from audit logs because they might contain personally identifiable information."
#@schema/desc log_usernames_and_groups_desc
#@schema/validation one_of=["enabled", "disabled"]
log_usernames_and_groups: disabled
#@schema/title "Log HTTPS requests for internal paths"
#@ log_internal_paths = "Enables or disables request logging for internal paths in audit logs. Options are 'enabled' or 'disabled'. \
#@ If enabled, requests to certain paths that are typically only used internal to the cluster (e.g. /healthz) will be enabled, which can be very verbose. \
#@ If disabled, requests to those paths will not be audit logged."
#@schema/desc log_internal_paths
#@schema/validation one_of=["enabled", "disabled"]
log_internal_paths: disabled

997
generated/1.35/README.adoc → generated/1.25/README.adoc generated
View File

File diff suppressed because it is too large Load Diff

2
generated/1.34/apis/concierge/authentication/v1alpha1/doc.go → generated/1.25/apis/concierge/authentication/v1alpha1/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
generated/1.34/apis/concierge/authentication/v1alpha1/register.go → generated/1.25/apis/concierge/authentication/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

103
generated/1.25/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated Normal file
View File

@@ -0,0 +1,103 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type JWTAuthenticatorPhase string
const (
// JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources.
JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending"
// JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state.
JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready"
// JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state.
JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
)
// Status of a JWT authenticator.
type JWTAuthenticatorStatus struct {
// Represents the observations of the authenticator's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Phase summarizes the overall status of the JWTAuthenticator.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
}
// Spec for configuring a JWT authenticator.
type JWTAuthenticatorSpec struct {
// Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
// also used to validate the "iss" JWT claim.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://`
Issuer string `json:"issuer"`
// Audience is the required value of the "aud" JWT claim.
// +kubebuilder:validation:MinLength=1
Audience string `json:"audience"`
// Claims allows customization of the claims that will be mapped to user identity
// for Kubernetes access.
// +optional
Claims JWTTokenClaims `json:"claims"`
// TLS configuration for communicating with the OIDC provider.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// JWTTokenClaims allows customization of the claims that will be mapped to user identity
// for Kubernetes access.
type JWTTokenClaims struct {
// Groups is the name of the claim which should be read to extract the user's
// group membership from the JWT token. When not specified, it will default to "groups".
// +optional
Groups string `json:"groups"`
// Username is the name of the claim which should be read to extract the
// username from the JWT token. When not specified, it will default to "username".
// +optional
Username string `json:"username"`
}
// JWTAuthenticator describes the configuration of a JWT authenticator.
//
// Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
// signature, existence of claims, etc.) and extract the username and groups from the token.
//
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type JWTAuthenticator struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the authenticator.
Spec JWTAuthenticatorSpec `json:"spec"`
// Status of the authenticator.
Status JWTAuthenticatorStatus `json:"status,omitempty"`
}
// List of JWTAuthenticator objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type JWTAuthenticatorList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []JWTAuthenticator `json:"items"`
}

2
generated/1.34/apis/concierge/authentication/v1alpha1/types_tls.go → generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

2
generated/1.33/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go → generated/1.25/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

67
generated/1.34/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go → generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.
@@ -29,38 +29,6 @@ func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDa
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClaimValidationRule) DeepCopyInto(out *ClaimValidationRule) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimValidationRule.
func (in *ClaimValidationRule) DeepCopy() *ClaimValidationRule {
if in == nil {
return nil
}
out := new(ClaimValidationRule)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ExtraMapping) DeepCopyInto(out *ExtraMapping) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraMapping.
func (in *ExtraMapping) DeepCopy() *ExtraMapping {
if in == nil {
return nil
}
out := new(ExtraMapping)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
*out = *in
@@ -125,17 +93,7 @@ func (in *JWTAuthenticatorList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
*out = *in
in.Claims.DeepCopyInto(&out.Claims)
if in.ClaimValidationRules != nil {
in, out := &in.ClaimValidationRules, &out.ClaimValidationRules
*out = make([]ClaimValidationRule, len(*in))
copy(*out, *in)
}
if in.UserValidationRules != nil {
in, out := &in.UserValidationRules, &out.UserValidationRules
*out = make([]UserValidationRule, len(*in))
copy(*out, *in)
}
out.Claims = in.Claims
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
@@ -180,11 +138,6 @@ func (in *JWTAuthenticatorStatus) DeepCopy() *JWTAuthenticatorStatus {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTTokenClaims) DeepCopyInto(out *JWTTokenClaims) {
*out = *in
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make([]ExtraMapping, len(*in))
copy(*out, *in)
}
return
}
@@ -219,22 +172,6 @@ func (in *TLSSpec) DeepCopy() *TLSSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *UserValidationRule) DeepCopyInto(out *UserValidationRule) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserValidationRule.
func (in *UserValidationRule) DeepCopy() *UserValidationRule {
if in == nil {
return nil
}
out := new(UserValidationRule)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookAuthenticator) DeepCopyInto(out *WebhookAuthenticator) {
*out = *in

2
generated/1.32/apis/concierge/config/v1alpha1/doc.go → generated/1.25/apis/concierge/config/v1alpha1/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

2
generated/1.33/apis/concierge/config/v1alpha1/register.go → generated/1.25/apis/concierge/config/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1

20
generated/1.33/apis/concierge/config/v1alpha1/types_credentialissuer.go → generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -161,6 +161,24 @@ type ImpersonationProxyServiceSpec struct {
type CredentialIssuerStatus struct {
// List of integration strategies that were attempted by Pinniped.
Strategies []CredentialIssuerStrategy `json:"strategies"`
// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
// This field is deprecated and will be removed in a future version.
// +optional
KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
}
// CredentialIssuerKubeConfigInfo provides the information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
// This type is deprecated and will be removed in a future version.
type CredentialIssuerKubeConfigInfo struct {
// The K8s API server URL.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://|^http://`
Server string `json:"server"`
// The K8s API server CA bundle.
// +kubebuilder:validation:MinLength=1
CertificateAuthorityData string `json:"certificateAuthorityData"`
}
// CredentialIssuerStrategy describes the status of an integration strategy that was attempted by Pinniped.

23
generated/1.33/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go → generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.
@@ -66,6 +66,22 @@ func (in *CredentialIssuerFrontend) DeepCopy() *CredentialIssuerFrontend {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CredentialIssuerKubeConfigInfo) DeepCopyInto(out *CredentialIssuerKubeConfigInfo) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialIssuerKubeConfigInfo.
func (in *CredentialIssuerKubeConfigInfo) DeepCopy() *CredentialIssuerKubeConfigInfo {
if in == nil {
return nil
}
out := new(CredentialIssuerKubeConfigInfo)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CredentialIssuerList) DeepCopyInto(out *CredentialIssuerList) {
*out = *in
@@ -130,6 +146,11 @@ func (in *CredentialIssuerStatus) DeepCopyInto(out *CredentialIssuerStatus) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.KubeConfigInfo != nil {
in, out := &in.KubeConfigInfo, &out.KubeConfigInfo
*out = new(CredentialIssuerKubeConfigInfo)
**out = **in
}
return
}

2
generated/1.33/apis/concierge/identity/doc.go → generated/1.25/apis/concierge/identity/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// +k8s:deepcopy-gen=package

Some files were not shown because too many files have changed in this diff Show More