mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-31 10:02:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: mirrors:v0.28.0
Branches Tags
mirrors:main mirrors:pinny/bump-deps mirrors:dependabot/docker/dockerfiles/eks-deployer/ci/amazon/aws-cli-2.33.11 mirrors:dependabot/docker/dockerfiles/k8s-app-deployer/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner-beta/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner/ci/google/cloud-sdk-554.0.0-slim mirrors:ci mirrors:jtc/freeze-k8s-utils mirrors:jtc/add-a-bunch-of-groups mirrors:poc/AuditEventFrom_replacement mirrors:jtc/bump-to-k8s-0-34-0 mirrors:move_ci mirrors:upgrade_linter_may_2025 mirrors:jtc/bump-to-k8s-1-32-libs mirrors:jtc/backfill-test mirrors:jtc/warn-when-tokens-are-large mirrors:jtc/externally-configured-serving-certs mirrors:jtc/use-soft-memory-limit-1103 mirrors:poc/session_length mirrors:jtc/propose-opt-out-of-self-signed-cas mirrors:poc/kube_csr_api mirrors:release-0.12 mirrors:poc/client-side-logout mirrors:release-0.4
mirrors:v0.44.0 mirrors:v0.43.0 mirrors:v0.42.0 mirrors:v0.41.0 mirrors:v0.40.0 mirrors:v0.39.0 mirrors:v0.38.0 mirrors:v0.37.0 mirrors:v0.36.0 mirrors:v0.35.0 mirrors:v0.34.0 mirrors:v0.33.0 mirrors:v0.32.0 mirrors:v0.31.0 mirrors:v0.30.0 mirrors:v0.29.0 mirrors:v0.28.0 mirrors:v0.27.0 mirrors:v0.26.0 mirrors:v0.25.0 mirrors:v0.24.0 mirrors:v0.23.0 mirrors:v0.22.0 mirrors:v0.21.0 mirrors:v0.20.0 mirrors:v0.19.0 mirrors:v0.18.0 mirrors:v0.17.0 mirrors:v0.16.0 mirrors:v0.15.0 mirrors:v0.12.1 mirrors:v0.14.0 mirrors:v0.13.0 mirrors:v0.12.0 mirrors:v0.11.0 mirrors:v0.10.0 mirrors:v0.4.4 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.4.3 mirrors:v0.8.0 mirrors:v0.4.2 mirrors:v0.7.0 mirrors:v0.6.0 mirrors:v0.5.0 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.0
..
compare: mirrors:v0.29.0
Branches Tags
mirrors:main mirrors:pinny/bump-deps mirrors:dependabot/docker/dockerfiles/eks-deployer/ci/amazon/aws-cli-2.33.11 mirrors:dependabot/docker/dockerfiles/k8s-app-deployer/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner-beta/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner/ci/google/cloud-sdk-554.0.0-slim mirrors:ci mirrors:jtc/freeze-k8s-utils mirrors:jtc/add-a-bunch-of-groups mirrors:poc/AuditEventFrom_replacement mirrors:jtc/bump-to-k8s-0-34-0 mirrors:move_ci mirrors:upgrade_linter_may_2025 mirrors:jtc/bump-to-k8s-1-32-libs mirrors:jtc/backfill-test mirrors:jtc/warn-when-tokens-are-large mirrors:jtc/externally-configured-serving-certs mirrors:jtc/use-soft-memory-limit-1103 mirrors:poc/session_length mirrors:jtc/propose-opt-out-of-self-signed-cas mirrors:poc/kube_csr_api mirrors:release-0.12 mirrors:poc/client-side-logout mirrors:release-0.4
mirrors:v0.44.0 mirrors:v0.43.0 mirrors:v0.42.0 mirrors:v0.41.0 mirrors:v0.40.0 mirrors:v0.39.0 mirrors:v0.38.0 mirrors:v0.37.0 mirrors:v0.36.0 mirrors:v0.35.0 mirrors:v0.34.0 mirrors:v0.33.0 mirrors:v0.32.0 mirrors:v0.31.0 mirrors:v0.30.0 mirrors:v0.29.0 mirrors:v0.28.0 mirrors:v0.27.0 mirrors:v0.26.0 mirrors:v0.25.0 mirrors:v0.24.0 mirrors:v0.23.0 mirrors:v0.22.0 mirrors:v0.21.0 mirrors:v0.20.0 mirrors:v0.19.0 mirrors:v0.18.0 mirrors:v0.17.0 mirrors:v0.16.0 mirrors:v0.15.0 mirrors:v0.12.1 mirrors:v0.14.0 mirrors:v0.13.0 mirrors:v0.12.0 mirrors:v0.11.0 mirrors:v0.10.0 mirrors:v0.4.4 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.4.3 mirrors:v0.8.0 mirrors:v0.4.2 mirrors:v0.7.0 mirrors:v0.6.0 mirrors:v0.5.0 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.0

123 Commits
v0.28.0 ... v0.29.0

Author SHA1 Message Date
Joshua Casey
cc96f85ec7 Merge pull request #1893 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-03-13 09:46:15 -05:00
Pinny
6557197bae Bump dependencies 2024-03-13 13:03:41 +00:00
Ryan Richard
ed351938d4 Merge pull request #1892 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-03-12 09:13:47 -07:00
Pinny
718cf234b8 Bump dependencies 2024-03-12 13:02:12 +00:00
Joshua Casey
159b2d50eb Merge pull request #1891 from vmware-tanzu/jtc/use-uber-mock-1778 
Use go.uber.org/mock instead of github.com/golang/mock and rerun mock generation
 2024-03-11 16:08:50 -05:00
Joshua Casey
bc8aebeffe Use go.uber.org/mock instead of github.com/golang/mock and rerun mock generation 2024-03-11 13:42:30 -05:00
Joshua Casey
135eab037e Merge pull request #1890 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-03-11 10:26:39 -05:00
Pinny
714aa59a34 Bump dependencies 2024-03-11 13:02:32 +00:00
Ryan Richard
33fe2bcff4 Merge pull request #1880 from vmware-tanzu/dependabot/go_modules/hack/update-go-mod/golang.org/x/mod-0.16.0 
Bump golang.org/x/mod from 0.15.0 to 0.16.0 in /hack/update-go-mod
 2024-03-09 09:35:29 -08:00
dependabot[bot]
665b921d63 Bump golang.org/x/mod from 0.15.0 to 0.16.0 in /hack/update-go-mod 
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.15.0 to 0.16.0.
- [Commits](https://github.com/golang/mod/compare/v0.15.0...v0.16.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-03-09 16:38:21 +00:00
Ryan Richard
b99634764f Merge pull request #1883 from vmware-tanzu/ghcr 
Use ghcr instead of Harbor as the default for pinniped-server images
 2024-03-08 16:40:17 -08:00
Ryan Richard
4a8cd180f8 Use ghcr instead of Harbor as the default for pinniped-server images 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-03-08 15:52:39 -08:00
Joshua Casey
6c7d3e62dd Merge pull request #1885 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-03-08 17:28:34 -06:00
Pinny
c4b5476088 Bump dependencies 2024-03-08 14:31:58 -08:00
Ryan Richard
61835e9f08 Merge pull request #1887 from vmware-tanzu/cli_callback_cors_get 
CLI's localhost listener handles CORS preflight requests for GETs
 2024-03-08 14:24:01 -08:00
Ryan Richard
d49b011d65 Merge branch 'main' into cli_callback_cors_get 2024-03-08 11:36:32 -08:00
Ryan Richard
f881bbb137 Merge pull request #1884 from vmware-tanzu/jtc/new-whoami-identity-document-extra-fields 
whoami integration test now allows for additional extra fields in K8s 1.30+
 2024-03-08 11:16:23 -08:00
Ryan Richard
f55d56bf4a CLI's localhost listener handles CORS preflight requests for GETs 2024-03-08 10:45:57 -08:00
Joshua Casey
ffc49d96b3 Integration tests should use a valid value for CredentialIssuer spec.impersonationProxy.service.type 2024-03-08 11:19:15 -06:00
Joshua Casey
8a40dda3ab Bump google.golang.org/protobuf to v1.33.0 for CVE-2024-24786 2024-03-08 11:19:15 -06:00
Joshua Casey
ab0682917a whoami integration test now allows for additional extra fields in K8s 1.30+ 2024-03-07 08:09:16 -06:00
Joshua Casey
ed15927d90 Merge pull request #1882 from vmware-tanzu/chrome_debugging 
Add some logging and comments making it easier to debug with chrome
 2024-03-05 16:15:40 -06:00
Ryan Richard
e43cf81c38 Add some logging and comments making it easier to debug with chrome 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-03-05 13:26:08 -08:00
Ryan Richard
eb08a9f91f Merge pull request #1881 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-03-05 08:18:47 -08:00
Pinny
9423ff5e48 Bump dependencies 2024-03-05 14:01:54 +00:00
Joshua Casey
df580fcb39 Merge pull request #1879 from vmware-tanzu/replace_otelhttptrace 
replace verison of otelhttptrace in go.mod
 2024-03-04 17:33:00 -06:00
Ryan Richard
ca58911cc2 replace verison of otelhttptrace in go.mod 2024-03-04 14:38:42 -08:00
Ryan Richard
6afc48849a Merge pull request #1878 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-03-01 09:29:44 -08:00
Pinny
5569b114ba Bump dependencies 2024-03-01 14:02:56 +00:00
Ryan Richard
c8bfe780c7 Merge pull request #1877 from vmware-tanzu/codegen-Feb29 
Add generated code for Kube 1.29, update other generated code
 2024-02-29 12:57:11 -08:00
Ryan Richard
b79a2ccf7c Add 1.29 and update patch versions in kube-versions.txt; run codegen 2024-02-29 12:00:02 -08:00
Ryan Richard
27d0c58319 Change codegen scripts to work with Kube 1.29 
- Also add support for having comments in kube-versions.txt.
- Update boilerplate copyright dates for generated code files.
 2024-02-29 11:46:26 -08:00
Ryan Richard
ffadca7f68 Merge pull request #1876 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-28 08:18:08 -08:00
Pinny
62c086a725 Bump dependencies 2024-02-28 14:02:53 +00:00
Ryan Richard
99781443b0 Merge pull request #1851 from vmware-tanzu/ben/status/jwt-authenticator 
Improve JWTAuthenticator Status
 2024-02-27 16:41:54 -08:00
Ryan Richard
f498cb3918 wait for JWTAuthenticator to be phase=ready in supervisor warnings test 2024-02-27 15:45:33 -08:00
Benjamin A. Petersen
e8482ab9e9 Update jwtauthenticator unit tests to check actions 
- Add test to verify timestamps are particularly updated
- Improve diff output in tests for actions
- Make jwtauthenticator status tests parallel
- Update copyright headers in multiple files
 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
868ff9ed2b Update jwk authenticator status integration tests 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
42acf8dcce Add Status & tests for jwks key fetching 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
1c7e7048a8 Update copyright year in modified files 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
73e4d3144b Add integration tests for JWTAuthenticators 
- paired with changes to e2e_test.go, adds Status.Condition assertions
  around JWTAuthenticators
 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
1a633adde6 add WaitForJWTAuthenticatorStatusPhase() integration helper 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
09bd51f481 fix comment in testlib/client.go 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
084c3114f4 Improve jwtcachefiller tests 
- some format updates
- add timestamp to test
- fix order of expect,actual in some assertions
- remove some commented code no longer needed
 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
47639340ec extract status comparison test helpers 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
fd14a5794e ldap upstream watcher: rename local var for clarity 2024-02-27 15:45:32 -08:00
Benjamin A. Petersen
a4447fa606 Add .Status to JWTAuthenticator with Conditions,Phase 
- "Ready" condition & supporting conditions
- Legacy "Phase" for convenience
- Refactor newCachedJWTAuthenticator() func
  to improve ability to provide additional conditions
- Update JWTAuthenticator.Status type
- Update RBAC for SA to get/watch/update JWTAuthenticator.Status
- Update logger to plog, add tests for logs & statuses
- update Sync() to reduce enqueue when error is config/user managed, perhaps remove validateJWKSResponse()
 2024-02-27 15:45:32 -08:00
Ryan Richard
f18d7310a8 Merge pull request #1875 from vmware-tanzu/pinny/bump-deps 
Bump dependencies (adds gotoolchain to go.mod) and fix CodeQL and unit test races
 2024-02-27 15:43:32 -08:00
Ryan Richard
28251f8b92 Update some comments in go.mod 2024-02-27 14:54:26 -08:00
Ryan Richard
50b54580de Fix races in login_test.go units tests 2024-02-27 14:54:05 -08:00
Ryan Richard
d88883328a Update codeql workflow actions to latest versions and add setup-go 
See deprecation of v2 message in README.md at
https://github.com/github/codeql-action

Added setup-go because codeql code scanning stopped working and gave
this error message:
The go.mod file requires version v1.21.3 of Go, but version v1.20.14 is installed. Consider adding an actions/setup-go step to your workflow.
 2024-02-27 12:26:32 -08:00
Pinny
ca6687d428 Bump dependencies 2024-02-27 14:03:11 +00:00
Ryan Richard
848d83c496 Merge pull request #1874 from vmware-tanzu/cli_checks_if_stderr_is_tty 
"login oidc" CLI command sometimes skips printing auth URL for non-ttys
 2024-02-26 14:56:24 -08:00
Ryan Richard
5bd73fc10d "login oidc" CLI command sometimes skips printing auth URL for non-ttys 2024-02-23 12:23:07 -08:00
Ryan Richard
40e548ebf0 Merge pull request #1873 from vmware-tanzu/1864_followup 
CLI deciding if token exchange needed should not look at ID token expiry
 2024-02-23 12:17:54 -08:00
Ryan Richard
64b0e69430 Update configure-concierge-jwt.md doc with clarifications 2024-02-23 08:37:43 -08:00
Ryan Richard
daec673b81 Add hack/prepare-jwtauthenticator-on-kind.sh 2024-02-23 08:37:43 -08:00
Ryan Richard
01d6bdb497 CLI deciding if token exchange needed should not look at ID token expiry 
This fixes a small mistake in PR #1864. When the "pinniped login oidc"
CLI command is deciding if the RFC8693 token exchange is needed, it
should not look at the expiry of the ID token. This mistake would cause
the RFC8693 token exchange to happen when the OIDC provider is not
a Pinniped Supervisor, which would fail because most other providers
do not support that type of token exchange.

It does not matter if the current ID token is close to expiring when
deciding if the RFC8693 token exchange is needed, because the token
exchange is going to yield a new ID token anyway. It does matter if the
current ID token is close to expiring if the CLI decides that it is
not going to perform the token exchange, and this commit does not change
that logic.
 2024-02-23 08:37:01 -08:00
Ryan Richard
216fce70aa Merge pull request #1872 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-23 06:51:43 -08:00
Pinny
5939ce8cc6 Bump dependencies 2024-02-23 14:00:47 +00:00
Ryan Richard
9471ed2d09 Merge pull request #1871 from vmware-tanzu/always_search_groups 
Don't skip upstream group memberships when groups scope is not granted
 2024-02-22 08:11:08 -08:00
Ryan Richard
0d31e955ae Don't skip upstream group memberships when groups scope is not granted 
Background: For dynamic clients, the groups scope is not always allowed
and/or requested by the client, so it will not always be granted by the
Supervisor for an authorization request.

Previously, when the groups scope was not granted, we would skip
searching for upstream groups in some scenarios.

This commit changes the behavior of authorization flows so that even
when the groups scope is not granted we still search for the upstream
group memberships as configured, and we pass the upstream group
memberships into any configured identity transformations. The identity
transformations could potentially reject the user's authentication based
on their upstream group membership.

When the groups scope is not granted, we don't include the groups in
the final Supervisor-issued ID token. This behavior is not changed.
 2024-02-21 13:12:18 -08:00
Ryan Richard
5697bb2915 Merge pull request #1870 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-21 08:07:37 -08:00
Pinny
ca7b27de3f Bump dependencies 2024-02-21 14:02:55 +00:00
Ryan Richard
867468ee66 Merge pull request #1867 from vmware-tanzu/refactor_supervisor_authenticators 
Refactor Supervisor to make interface for upstream IDPs, to better separate upstream and downstream concerns
 2024-02-20 22:11:52 -08:00
Ryan Richard
4b4a4ad592 Rename a func and collapse applying id transforms into creating session 2024-02-20 14:47:28 -08:00
Ryan Richard
b341e52214 Refactor to move invocation of identity transforms out of IDP interfaces 
Each endpoint handler is now responsible for applying the identity
transformations and creating most of the session data, rather than each
implementation of the upstream IDP interface. This shares code better,
and reduces the responsibilities of the implementations of the IDP
interface by letting them focus more on the upstream stuff.

Also refactor the parameters and return types of the IDP interfaces to
make them more clear, and because they can be more focused on upstream
identities (pre-identity transformation). This clarifies the
responsibilities of the implementations of the IDP interface.
 2024-02-20 10:45:54 -08:00
Ryan Richard
1e8e7b948e Refactor token endpoint to add interface for IDP upstream refresh 2024-02-20 09:26:34 -08:00
Ryan Richard
1bc13e94f7 Refactor to extract interface for upstream IDP interactions 
Create an interface to abstract the upstream IDP from the
authorize, IDP discovery, callback, choose IDP, and login
endpoints. This commit does not refactor the token endpoint,
which will be refactored in a similar way in the next commit.
 2024-02-20 09:26:34 -08:00
Ryan Richard
9db87132b1 More refactoring of auth handler and related refactor of upstreamldap 
- continued refactoring the auth handler to share more code between
  the two supported browserless flows: OIDC and LDAP/AD
- the upstreamldap package should not know about the concept of
  OIDC granted scopes, so refactored it to be a skipGroups bool
 2024-02-20 09:26:34 -08:00
Ryan Richard
9992855cb8 Refactor error handling in authorize endpoint (changes some responses) 
- Simplify the error handling in the authorize endpoint by making the
  private helper functions return fosite-style errors, and having
  one place that writes those errors to the response.
- Some types of errors were previously returned as regular http-style
  errors. Those have all been converted to be returned as oauth-style
  errors (which can be redirects to the client), except for http method
  not found errors. This is a change in behavior from the client's point
  of view, but only when those unexpected errors happen. These types of
  errors are more consistent with RFC6749 section 4.1.2.1.
- Avoids using the httperr package for error handling.
- Create a struct for the handler as a first step toward making smaller
  functions with fewer parameters.
 2024-02-20 09:26:34 -08:00
Ryan Richard
23dce42a94 Merge pull request #1869 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-20 09:25:16 -08:00
Pinny
edf92303ae Bump dependencies 2024-02-20 15:57:22 +00:00
Ryan Richard
719cd75f64 Merge pull request #1866 from vmware-tanzu/upgrade_fosite_feb_2024 
Upgrade fosite to latest version
 2024-02-13 11:25:24 -08:00
Ryan Richard
ceb9973657 Correct doc which explained bug that has since been fixed. 2024-02-13 10:16:41 -08:00
Ryan Richard
cf82cf996e Adjust tests and comments for upgrade to latest version of fosite 2024-02-13 10:16:41 -08:00
Pinny
5c702738cf Bump dependencies 2024-02-13 16:44:20 +00:00
Ryan Richard
485b2271f0 Merge pull request #1864 from vmware-tanzu/cli_use_cached_access_token 
login oidc cmd checks access token expiry before doing token exchange
 2024-02-09 14:21:05 -08:00
Ryan Richard
dce9409ccc login oidc cmd checks access token expiry before doing token exchange 
In the RFC8693 token exchange, the CLI sends your access token and
receives in exchange a new cluster-scoped ID token.

Fix a bug in the CLI. Whenever the "pinniped login oidc" command was
planning to perform the RFC8693 token exchange, it failed to check if
the cached access token was still valid before performing the exchange,
which sends the access token. It instead checked if the cached ID token
was still valid, but that it not relevant in this situation because the
ID token is not going to be used for anything (instead the new ID token
returned by the RFC8693 token exchange will be used for auth).

This bug doesn't actually matter today, because the Supervisor-issued
access and ID tokens always both have the same 2-minute lifetimes.
However, future enhancements may cause them to have different lifetimes
in certain circumstances. Fixing this CLI bug now to prepare for those
potential future enhancements.
 2024-02-09 13:33:30 -08:00
Ryan Richard
d5ce48bd4b Convert double-quoted strings to raw strings in login_test.go 2024-02-09 08:38:51 -08:00
Ryan Richard
492dfa84d8 Merge pull request #1862 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-09 08:20:58 -08:00
Pinny
e4fddc3596 Bump dependencies 2024-02-09 14:02:39 +00:00
Ryan Richard
ad9d9ce1a5 Merge pull request #1863 from vmware-tanzu/revert_support_for_new_goboring 
Upgrade to Go 1.22 and revert support for new goboring
 2024-02-08 15:05:38 -08:00
Ryan Richard
904a60f04a Fix ptls_test.go for Go 1.22 2024-02-08 14:13:09 -08:00
Ryan Richard
bf3b4bfca7 Rerun codegen after upgrading CI controller-gen from v0.13.0 to v0.14.0 2024-02-08 13:27:02 -08:00
Ryan Richard
560ee45b50 Fix plog_test.go for Go 1.22 2024-02-08 11:53:59 -08:00
Ryan Richard
d2794114f4 Revert support TLS 1.3 in FIPS mode because Go reverted goboring upgrade 
Goboring only allows TLS 1.2.

The next goboring will allow both TLS 1.2 and TLS 1.3. We got a preview
of this when the Go team upgraded goboring in Go 1.21.6, but then
downgraded it again in the next Go releases.

When the Go team eventually upgrades goboring again, then we can
revert this commit to bring back TLS 1.3 support in FIPS mode.
 2024-02-08 10:43:52 -08:00
Ryan Richard
e303a45dd1 Test util AssertTLS supports both old and new goboring 
- Current goboring only allows TLS 1.2.
- The next goboring will allow TLS 1.2 and TLS 1.3. We got a preview
  of this when the Go team upgraded goboring in Go 1.21.6, but then
  downgraded it again in the next Go releases.
 2024-02-08 09:39:01 -08:00
Pinny
c47bc74ad0 Bump dependencies 2024-02-07 20:09:08 +00:00
Ryan Richard
a728822993 Merge pull request #1861 from vmware-tanzu/dependabot/go_modules/hack/update-go-mod/golang.org/x/mod-0.15.0 
Bump golang.org/x/mod from 0.14.0 to 0.15.0 in /hack/update-go-mod
 2024-02-07 11:04:16 -08:00
dependabot[bot]
5cd4d47f9e Bump golang.org/x/mod from 0.14.0 to 0.15.0 in /hack/update-go-mod 
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.14.0 to 0.15.0.
- [Commits](https://github.com/golang/mod/compare/v0.14.0...v0.15.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-02-07 02:01:12 +00:00
Ryan Richard
2832e7c45e Merge pull request #1858 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-06 08:48:32 -08:00
Pinny
04bb45947d Bump dependencies 2024-02-06 14:01:03 +00:00
Ryan Richard
f2c9b67854 Merge pull request #1856 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-02 10:03:18 -08:00
Pinny
e05ae08b77 Bump dependencies 2024-02-02 17:01:56 +00:00
Ryan Richard
1ab1fd4c50 Merge pull request #1855 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-02-01 10:06:48 -08:00
Pinny
d17dd65d0f Bump dependencies 2024-02-01 17:19:17 +00:00
Ryan Richard
a832bb641b Merge pull request #1854 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-31 06:52:30 -08:00
Pinny
18da164130 Bump dependencies 2024-01-31 14:02:55 +00:00
Ryan Richard
07b1a144b3 Merge pull request #1853 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-29 08:58:42 -08:00
Pinny
4c3f304ba5 Bump dependencies 2024-01-29 14:03:06 +00:00
Ryan Richard
c7445def21 Merge pull request #1852 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-26 09:01:20 -08:00
Pinny
d23f6690af Bump dependencies 2024-01-26 14:02:26 +00:00
Ryan Richard
0a8264c9c8 Merge pull request #1850 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-24 09:44:18 -08:00
Pinny
8c7cda84e1 Bump dependencies 2024-01-24 16:59:33 +00:00
Ryan Richard
6767a07a8d Merge pull request #1839 from vmware-tanzu/update_ci_url 
Update CI URL, increase lint timeout, disable some dependabot updates
 2024-01-19 12:58:22 -08:00
Ryan Richard
6908c2ab65 disable dependabot for some things in favor of our own tooling 2024-01-19 11:34:47 -08:00
Ryan Richard
80b65619bf Increase the lint timeout in hack/module.sh for when CI workers get slow 2024-01-19 11:34:47 -08:00
Ryan Richard
2aa87dd069 update CI URL in CONTRIBUTING.md 2024-01-19 11:34:47 -08:00
Ryan Richard
bb99d269eb Merge pull request #1836 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-19 11:32:42 -08:00
Pinny
84a1f2a771 Bump dependencies 2024-01-19 17:06:03 +00:00
Ryan Richard
e67838932d Merge pull request #1841 from vmware-tanzu/new_fips_compiler 
Support new golang fips compiler
 2024-01-19 08:17:43 -08:00
Ryan Richard
50e4d6db6c Support the new Go FIPS compiler which was upgraded inside Go 1.21.6 
The release of Go 1.21.6 includes the new boring crypto when compiling
with FIPS enabled. See https://go.dev/doc/devel/release#go1.21.0 and
https://github.com/golang/go/issues/64717.

This new version of boring crypto allows the use of TLS v1.3 for the
first time, so we changed the Pinniped code to use TLS v1.3 where
appropriate when compiled with the FIPS compiler. It also changed the
allowed TLS v1.2 ciphers, so we updated those as well.

After this commit, the project must be compiled by at least Go v1.21.6
when compiling in fips mode. The hack/Dockerfile_fips was already
updated to use that version of Go in a previous commit.

Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
 2024-01-18 14:23:26 -08:00
Pinny
bcf070cb73 Bump dependencies 2024-01-16 12:33:40 -08:00
Ryan Richard
4ce96634c6 Merge pull request #1835 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-09 09:55:19 -08:00
Pinny
c356754aaa Bump dependencies 2024-01-09 09:24:04 +00:00
Ryan Richard
75a130bafd Merge pull request #1830 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-08 08:59:14 -08:00
Pinny
1d6e51d14a Bump dependencies 2024-01-08 09:03:58 +00:00
Ryan Richard
da9432b5b2 Merge pull request #1829 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-01-05 09:23:14 -08:00
Pinny
d4971ef2da Bump dependencies 2024-01-05 16:34:26 +00:00
Ryan Richard
bdb7f80571 Merge pull request #1825 from vmware-tanzu/kube_v0.29.0 
Update dependencies, including Kube packages to v0.29.0
 2024-01-04 13:29:44 -08:00
Ryan Richard
c7299f4daf Update dependencies, including Kube packages to v0.29.0 2024-01-04 12:30:22 -08:00
Pinny
659224a207 Updated versions in docs for v0.28.0 release 2023-12-15 18:56:15 +00:00
1553 changed files with 54906 additions and 15264 deletions
Expand all files Collapse all files

30
.github/dependabot.yml vendored
View File

@@ -2,11 +2,6 @@
version: 2
updates:
- package-ecosystem: "gomod"
open-pull-requests-limit: 100
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "gomod"
open-pull-requests-limit: 2
@@ -14,12 +9,21 @@ updates:
schedule:
interval: "daily"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "daily"
# Our own CI job is responsible for updating this go.mod file now.
# - package-ecosystem: "gomod"
# open-pull-requests-limit: 100
# directory: "/"
# schedule:
# interval: "daily"
- package-ecosystem: "docker"
directory: "/hack" # this should keep the FIPS dockerfile updated per https://github.com/dependabot/feedback/issues/145#issuecomment-414738498
schedule:
interval: "daily"
# Our own CI job is responsible for updating this Docker file now.
# - package-ecosystem: "docker"
# directory: "/"
# schedule:
# interval: "daily"
# Our own CI job is responsible for updating this Docker file now.
# - package-ecosystem: "docker"
# directory: "/hack" # this should keep the FIPS dockerfile updated per https://github.com/dependabot/feedback/issues/145#issuecomment-414738498
# schedule:
# interval: "daily"

16
.github/workflows/codeql-analysis.yml vendored
View File

@@ -29,11 +29,13 @@ jobs:
language: [ 'go', 'javascript' ]
steps:
# Checkout our repository.
# See https://github.com/actions/checkout for documentation.
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -43,10 +45,16 @@ jobs:
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Install Go.
# See https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file.
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@v3
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@@ -59,6 +67,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"

2
CONTRIBUTING.md
View File

@@ -154,7 +154,7 @@ To destroy the local Kubernetes cluster, run `./hack/kind-down.sh`.
### Observing Tests on the Continuous Integration Environment
[CI](https://hush-house.pivotal.io/teams/tanzu-user-auth/pipelines/pinniped-pull-requests)
[CI](https://ci.pinniped.dev/teams/main/pipelines/pull-requests)
will not be triggered on a pull request until the pull request is reviewed and
approved for CI by a project [maintainer](MAINTAINERS.md). Once CI is triggered,
the progress and results will appear on the Github page for that

4
Dockerfile
View File

@@ -3,8 +3,8 @@
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
ARG BUILD_IMAGE=golang:1.21.5@sha256:2ff79bcdaff74368a9fdcb06f6599e54a71caf520fd2357a55feddd504bcaffb
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:91ca4720011393f4d4cab3a01fa5814ee2714b7d40e6c74f2505f74168398ca9
ARG BUILD_IMAGE=golang:1.22.1@sha256:0b55ab82ac2a54a6f8f85ec8b943b9e470c39e32c109b766bbc1b801f3fa8d3b
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:55c636171053dbc8ae07a280023bd787d2921f10e569f3e319f1539076dbba11
# Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env

19
apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
View File

@@ -1,10 +1,23 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type JWTAuthenticatorPhase string
const (
// JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources.
JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending"
// JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state.
JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready"
// JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state.
JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
)
// Status of a JWT authenticator.
type JWTAuthenticatorStatus struct {
// Represents the observations of the authenticator's current state.
@@ -13,6 +26,10 @@ type JWTAuthenticatorStatus struct {
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Phase summarizes the overall status of the JWTAuthenticator.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
}
// Spec for configuring a JWT authenticator.

6
apis/supervisor/oidc/types_supervisor_oidc.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package oidc
@@ -29,6 +29,10 @@ const (
// IDTokenClaimSubject is name of the subject claim defined by the OIDC spec.
IDTokenClaimSubject = "sub"
// IDTokenSubClaimIDPNameQueryParam is the name of the query param used in the values of the "sub" claim
// in Supervisor-issued ID tokens to identify with which external identity provider the user authenticated.
IDTokenSubClaimIDPNameQueryParam = "idpName"
// IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec.
IDTokenClaimAuthorizedParty = "azp"

14
cmd/pinniped/cmd/login_oidc.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -241,12 +241,12 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
}
pLogger.Debug("Performing OIDC login", "issuer", flags.issuer, "client id", flags.clientID)
// Do the basic login to get an OIDC token.
// Do the basic login to get an OIDC token. Although this can return several tokens, we only need the ID token here.
token, err := deps.login(flags.issuer, flags.clientID, opts...)
if err != nil {
return fmt.Errorf("could not complete Pinniped login: %w", err)
}
cred := tokenCredential(token)
cred := tokenCredential(token.IDToken)
// If the concierge was configured, exchange the credential for a separate short-lived, cluster-specific credential.
if concierge != nil {
@@ -344,18 +344,18 @@ func makeClient(caBundlePaths []string, caBundleData []string) (*http.Client, er
return phttp.Default(pool), nil
}
func tokenCredential(token *oidctypes.Token) *clientauthv1beta1.ExecCredential {
func tokenCredential(idToken *oidctypes.IDToken) *clientauthv1beta1.ExecCredential {
cred := clientauthv1beta1.ExecCredential{
TypeMeta: metav1.TypeMeta{
Kind: "ExecCredential",
APIVersion: "client.authentication.k8s.io/v1beta1",
},
Status: &clientauthv1beta1.ExecCredentialStatus{
Token: token.IDToken.Token,
Token: idToken.Token,
},
}
if !token.IDToken.Expiry.IsZero() {
cred.Status.ExpirationTimestamp = &token.IDToken.Expiry
if !idToken.Expiry.IsZero() {
cred.Status.ExpirationTimestamp = &idToken.Expiry
}
return &cred
}

4
cmd/pinniped/cmd/login_static.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -133,7 +133,7 @@ func runStaticLogin(cmd *cobra.Command, deps staticLoginDeps, flags staticLoginP
return fmt.Errorf("--token-env variable %q is empty", flags.staticTokenEnvName)
}
}
cred := tokenCredential(&oidctypes.Token{IDToken: &oidctypes.IDToken{Token: token}})
cred := tokenCredential(&oidctypes.IDToken{Token: token})
// Look up cached credentials based on a hash of all the CLI arguments, the current token value, and the cluster info.
cacheKey := struct {

119
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev
@@ -31,20 +31,27 @@ spec:
name: v1alpha1
schema:
openAPIV3Schema:
description: "JWTAuthenticator describes the configuration of a JWT authenticator.
\n Upon receiving a signed JWT, a JWTAuthenticator will performs some validation
on it (e.g., valid signature, existence of claims, etc.) and extract the
username and groups from the token."
description: |-
JWTAuthenticator describes the configuration of a JWT authenticator.
Upon receiving a signed JWT, a JWTAuthenticator will performs some validation on it (e.g., valid
signature, existence of claims, etc.) and extract the username and groups from the token.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -56,24 +63,25 @@ spec:
minLength: 1
type: string
claims:
description: Claims allows customization of the claims that will be
mapped to user identity for Kubernetes access.
description: |-
Claims allows customization of the claims that will be mapped to user identity
for Kubernetes access.
properties:
groups:
description: Groups is the name of the claim which should be read
to extract the user's group membership from the JWT token. When
not specified, it will default to "groups".
description: |-
Groups is the name of the claim which should be read to extract the user's
group membership from the JWT token. When not specified, it will default to "groups".
type: string
username:
description: Username is the name of the claim which should be
read to extract the username from the JWT token. When not specified,
it will default to "username".
description: |-
Username is the name of the claim which should be read to extract the
username from the JWT token. When not specified, it will default to "username".
type: string
type: object
issuer:
description: Issuer is the OIDC issuer URL that will be used to discover
public signing keys. Issuer is also used to validate the "iss" JWT
claim.
description: |-
Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
also used to validate the "iss" JWT claim.
minLength: 1
pattern: ^https://
type: string
@@ -97,42 +105,42 @@ spec:
state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -146,11 +154,12 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -165,6 +174,14 @@ spec:
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the JWTAuthenticator.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec

78
deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev
@@ -32,14 +32,19 @@ spec:
authenticator.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -70,42 +75,42 @@ spec:
state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -119,11 +124,12 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string

95
deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev
@@ -33,14 +33,19 @@ spec:
Pinniped Concierge credential issuer.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -52,18 +57,19 @@ spec:
of the Concierge impersonation proxy.
properties:
externalEndpoint:
description: "ExternalEndpoint describes the HTTPS endpoint where
the proxy will be exposed. If not set, the proxy will be served
using the external name of the LoadBalancer service or the cluster
service DNS name. \n This field must be non-empty when spec.impersonationProxy.service.type
is \"None\"."
description: |-
ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will
be served using the external name of the LoadBalancer service or the cluster service DNS name.
This field must be non-empty when spec.impersonationProxy.service.type is "None".
type: string
mode:
description: 'Mode configures whether the impersonation proxy
should be started: - "disabled" explicitly disables the impersonation
proxy. This is the default. - "enabled" explicitly enables the
impersonation proxy. - "auto" enables or disables the impersonation
proxy based upon the cluster in which it is running.'
description: |-
Mode configures whether the impersonation proxy should be started:
- "disabled" explicitly disables the impersonation proxy. This is the default.
- "enabled" explicitly enables the impersonation proxy.
- "auto" enables or disables the impersonation proxy based upon the cluster in which it is running.
enum:
- auto
- enabled
@@ -82,20 +88,20 @@ spec:
pairs to set as annotations on the provisioned Service.
type: object
loadBalancerIP:
description: LoadBalancerIP specifies the IP address to set
in the spec.loadBalancerIP field of the provisioned Service.
description: |-
LoadBalancerIP specifies the IP address to set in the spec.loadBalancerIP field of the provisioned Service.
This is not supported on all cloud providers.
maxLength: 255
minLength: 1
type: string
type:
default: LoadBalancer
description: "Type specifies the type of Service to provision
for the impersonation proxy. \n If the type is \"None\",
then the \"spec.impersonationProxy.externalEndpoint\" field
must be set to a non-empty value so that the Concierge can
properly advertise the endpoint in the CredentialIssuer's
status."
description: |-
Type specifies the type of Service to provision for the impersonation proxy.
If the type is "None", then the "spec.impersonationProxy.externalEndpoint" field must be set to a non-empty
value so that the Concierge can properly advertise the endpoint in the CredentialIssuer's status.
enum:
- LoadBalancer
- ClusterIP
@@ -103,20 +109,21 @@ spec:
type: string
type: object
tls:
description: "TLS contains information about how the Concierge
impersonation proxy should serve TLS. \n If this field is empty,
the impersonation proxy will generate its own TLS certificate."
description: |-
TLS contains information about how the Concierge impersonation proxy should serve TLS.
If this field is empty, the impersonation proxy will generate its own TLS certificate.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). Used to advertise the CA bundle for the impersonation
proxy endpoint.
description: |-
X.509 Certificate Authority (base64-encoded PEM bundle).
Used to advertise the CA bundle for the impersonation proxy endpoint.
type: string
secretName:
description: SecretName is the name of a Secret in the same
namespace, of type `kubernetes.io/tls`, which contains the
TLS serving certificate for the Concierge impersonation
proxy endpoint.
description: |-
SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
the TLS serving certificate for the Concierge impersonation proxy endpoint.
minLength: 1
type: string
type: object
@@ -131,9 +138,9 @@ spec:
description: CredentialIssuerStatus describes the status of the Concierge.
properties:
kubeConfigInfo:
description: Information needed to form a valid Pinniped-based kubeconfig
using this credential issuer. This field is deprecated and will
be removed in a future version.
description: |-
Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
This field is deprecated and will be removed in a future version.
properties:
certificateAuthorityData:
description: The K8s API server CA bundle.
@@ -160,9 +167,9 @@ spec:
this strategy.
properties:
impersonationProxyInfo:
description: ImpersonationProxyInfo describes the parameters
for the impersonation proxy on this Concierge. This field
is only set when Type is "ImpersonationProxy".
description: |-
ImpersonationProxyInfo describes the parameters for the impersonation proxy on this Concierge.
This field is only set when Type is "ImpersonationProxy".
properties:
certificateAuthorityData:
description: CertificateAuthorityData is the base64-encoded
@@ -180,9 +187,9 @@ spec:
- endpoint
type: object
tokenCredentialRequestInfo:
description: TokenCredentialRequestAPIInfo describes the
parameters for the TokenCredentialRequest API on this
Concierge. This field is only set when Type is "TokenCredentialRequestAPI".
description: |-
TokenCredentialRequestAPIInfo describes the parameters for the TokenCredentialRequest API on this Concierge.
This field is only set when Type is "TokenCredentialRequestAPI".
properties:
certificateAuthorityData:
description: CertificateAuthorityData is the base64-encoded

4
deploy/concierge/rbac.yaml
View File

@@ -43,6 +43,10 @@ rules:
- #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
resources: [ jwtauthenticators, webhookauthenticators ]
verbs: [ get, list, watch ]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("authentication.concierge")
resources: [ jwtauthenticators/status, webhookauthenticators/status ]
verbs: [ get, list, watch, update ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1

6
deploy/concierge/values.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ def validate_strings_map(obj):
@@ -52,7 +52,7 @@ replicas: 2
#@schema/title "Image repo"
#@schema/desc "The repository for the Concierge container image."
#@schema/validation min_len=1
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
#@schema/title "Image digest"
#@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
@@ -72,7 +72,7 @@ image_tag: latest
#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
#@schema/desc kube_cert_agent_image
#@schema/examples ("Image including tag or digest", "projects.registry.vmware.com/pinniped/pinniped-server:latest")
#@schema/examples ("Image including tag or digest", "ghcr.io/vmware-tanzu/pinniped/pinniped-server:latest")
#@schema/nullable
#@schema/validation min_len=1
kube_cert_agent_image: ""

4
deploy/local-user-authenticator/values.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@data/values-schema
@@ -6,7 +6,7 @@
#@schema/title "Image repo"
#@schema/desc "The repository for the local-user-authenticator container image."
#@schema/validation min_len=1
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
#@schema/title "Image digest"
#@schema/desc "The image digest for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used."

414
deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev
@@ -32,14 +32,19 @@ spec:
description: FederationDomain describes the configuration of an OIDC provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -47,63 +52,54 @@ spec:
description: Spec of the OIDC provider.
properties:
identityProviders:
description: "IdentityProviders is the list of identity providers
available for use by this FederationDomain. \n An identity provider
CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes
how to connect to a server, how to talk in a specific protocol for
authentication, and how to use the schema of that server/protocol
to extract a normalized user identity. Normalized user identities
include a username and a list of group names. In contrast, IdentityProviders
describes how to use that normalized identity in those Kubernetes
clusters which belong to this FederationDomain. Each entry in IdentityProviders
can be configured with arbitrary transformations on that normalized
identity. For example, a transformation can add a prefix to all
usernames to help avoid accidental conflicts when multiple identity
providers have different users with the same username (e.g. \"idp1:ryan\"
versus \"idp2:ryan\"). Each entry in IdentityProviders can also
implement arbitrary authentication rejection policies. Even though
a user was able to authenticate with the identity provider, a policy
can disallow the authentication to the Kubernetes clusters that
belong to this FederationDomain. For example, a policy could disallow
the authentication unless the user belongs to a specific group in
the identity provider. \n For backwards compatibility with versions
of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain
to use all available identity providers which exist in the same
namespace, but also to reject all authentication requests when there
is more than one identity provider currently defined. In this backwards
compatibility mode, the name of the identity provider resource (e.g.
the Name of an OIDCIdentityProvider resource) will be used as the
name of the identity provider in this FederationDomain. This mode
is provided to make upgrading from older versions easier. However,
instead of relying on this backwards compatibility mode, please
consider this mode to be deprecated and please instead explicitly
list the identity provider using this IdentityProviders field."
description: |-
IdentityProviders is the list of identity providers available for use by this FederationDomain.
An identity provider CR (e.g. OIDCIdentityProvider or LDAPIdentityProvider) describes how to connect to a server,
how to talk in a specific protocol for authentication, and how to use the schema of that server/protocol to
extract a normalized user identity. Normalized user identities include a username and a list of group names.
In contrast, IdentityProviders describes how to use that normalized identity in those Kubernetes clusters which
belong to this FederationDomain. Each entry in IdentityProviders can be configured with arbitrary transformations
on that normalized identity. For example, a transformation can add a prefix to all usernames to help avoid
accidental conflicts when multiple identity providers have different users with the same username (e.g.
"idp1:ryan" versus "idp2:ryan"). Each entry in IdentityProviders can also implement arbitrary authentication
rejection policies. Even though a user was able to authenticate with the identity provider, a policy can disallow
the authentication to the Kubernetes clusters that belong to this FederationDomain. For example, a policy could
disallow the authentication unless the user belongs to a specific group in the identity provider.
For backwards compatibility with versions of Pinniped which predate support for multiple identity providers,
an empty IdentityProviders list will cause the FederationDomain to use all available identity providers which
exist in the same namespace, but also to reject all authentication requests when there is more than one identity
provider currently defined. In this backwards compatibility mode, the name of the identity provider resource
(e.g. the Name of an OIDCIdentityProvider resource) will be used as the name of the identity provider in this
FederationDomain. This mode is provided to make upgrading from older versions easier. However, instead of
relying on this backwards compatibility mode, please consider this mode to be deprecated and please instead
explicitly list the identity provider using this IdentityProviders field.
items:
description: FederationDomainIdentityProvider describes how an identity
provider is made available in this FederationDomain.
properties:
displayName:
description: DisplayName is the name of this identity provider
as it will appear to clients. This name ends up in the kubeconfig
of end users, so changing the name of an identity provider
that is in use by end users will be a disruptive change for
those users.
description: |-
DisplayName is the name of this identity provider as it will appear to clients. This name ends up in the
kubeconfig of end users, so changing the name of an identity provider that is in use by end users will be a
disruptive change for those users.
minLength: 1
type: string
objectRef:
description: ObjectRef is a reference to a Pinniped identity
provider resource. A valid reference is required. If the reference
cannot be resolved then the identity provider will not be
made available. Must refer to a resource of one of the Pinniped
identity provider types, e.g. OIDCIdentityProvider, LDAPIdentityProvider,
ActiveDirectoryIdentityProvider.
description: |-
ObjectRef is a reference to a Pinniped identity provider resource. A valid reference is required.
If the reference cannot be resolved then the identity provider will not be made available.
Must refer to a resource of one of the Pinniped identity provider types, e.g. OIDCIdentityProvider,
LDAPIdentityProvider, ActiveDirectoryIdentityProvider.
properties:
apiGroup:
description: APIGroup is the group for the resource being
referenced. If APIGroup is not specified, the specified
Kind must be in the core API group. For any other third-party
types, APIGroup is required.
description: |-
APIGroup is the group for the resource being referenced.
If APIGroup is not specified, the specified Kind must be in the core API group.
For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type of resource being referenced
@@ -117,17 +113,17 @@ spec:
type: object
x-kubernetes-map-type: atomic
transforms:
description: Transforms is an optional way to specify transformations
to be applied during user authentication and session refresh.
description: |-
Transforms is an optional way to specify transformations to be applied during user authentication and
session refresh.
properties:
constants:
description: Constants defines constant variables and their
values which will be made available to the transform expressions.
items:
description: FederationDomainTransformsConstant defines
a constant variable and its value which will be made
available to the transform expressions. This is a union
type, and Type is the discriminator field.
description: |-
FederationDomainTransformsConstant defines a constant variable and its value which will be made available to
the transform expressions. This is a union type, and Type is the discriminator field.
properties:
name:
description: Name determines the name of the constant.
@@ -162,25 +158,21 @@ spec:
- name
x-kubernetes-list-type: map
examples:
description: Examples can optionally be used to ensure that
the sequence of transformation expressions are working
as expected. Examples define sample input identities which
are then run through the expression list, and the results
are compared to the expected results. If any example in
this list fails, then this identity provider will not
be available for use within this FederationDomain, and
the error(s) will be added to the FederationDomain status.
This can be used to help guard against programming mistakes
in the expressions, and also act as living documentation
for other administrators to better understand the expressions.
description: |-
Examples can optionally be used to ensure that the sequence of transformation expressions are working as
expected. Examples define sample input identities which are then run through the expression list, and the
results are compared to the expected results. If any example in this list fails, then this
identity provider will not be available for use within this FederationDomain, and the error(s) will be
added to the FederationDomain status. This can be used to help guard against programming mistakes in the
expressions, and also act as living documentation for other administrators to better understand the expressions.
items:
description: FederationDomainTransformsExample defines
a transform example.
properties:
expects:
description: Expects is the expected output of the
entire sequence of transforms when they are run
against the input Username and Groups.
description: |-
Expects is the expected output of the entire sequence of transforms when they are run against the
input Username and Groups.
properties:
groups:
description: Groups is the expected list of group
@@ -189,27 +181,18 @@ spec:
type: string
type: array
message:
description: Message is the expected error message
of the transforms. When Rejected is true, then
Message is the expected message for the policy
which rejected the authentication attempt. When
Rejected is true and Message is blank, then
Message will be treated as the default error
message for authentication attempts which are
rejected by a policy. When Rejected is false,
then Message is the expected error message for
some other non-policy transformation error,
such as a runtime error. When Rejected is false,
there is no default expected Message.
description: |-
Message is the expected error message of the transforms. When Rejected is true, then Message is the expected
message for the policy which rejected the authentication attempt. When Rejected is true and Message is blank,
then Message will be treated as the default error message for authentication attempts which are rejected by a
policy. When Rejected is false, then Message is the expected error message for some other non-policy
transformation error, such as a runtime error. When Rejected is false, there is no default expected Message.
type: string
rejected:
description: Rejected is a boolean that indicates
whether authentication is expected to be rejected
by a policy expression after the transformations
have been applied. True means that it is expected
that the authentication would be rejected. The
default value of false means that it is expected
that the authentication would not be rejected
description: |-
Rejected is a boolean that indicates whether authentication is expected to be rejected by a policy expression
after the transformations have been applied. True means that it is expected that the authentication would be
rejected. The default value of false means that it is expected that the authentication would not be rejected
by any policy expression.
type: boolean
username:
@@ -232,44 +215,38 @@ spec:
type: object
type: array
expressions:
description: "Expressions are an optional list of transforms
and policies to be executed in the order given during
every authentication attempt, including during every session
refresh. Each is a CEL expression. It may use the basic
CEL language as defined in https://github.com/google/cel-spec/blob/master/doc/langdef.md
plus the CEL string extensions defined in https://github.com/google/cel-go/tree/master/ext#strings.
\n The username and groups extracted from the identity
provider, and the constants defined in this CR, are available
as variables in all expressions. The username is provided
via a variable called `username` and the list of group
names is provided via a variable called `groups` (which
may be an empty list). Each user-provided constants is
provided via a variable named `strConst.varName` for string
constants and `strListConst.varName` for string list constants.
\n The only allowed types for expressions are currently
policy/v1, username/v1, and groups/v1. Each policy/v1
must return a boolean, and when it returns false, no more
expressions from the list are evaluated and the authentication
attempt is rejected. Transformations of type policy/v1
do not return usernames or group names, and therefore
cannot change the username or group names. Each username/v1
transform must return the new username (a string), which
can be the same as the old username. Transformations of
type username/v1 do not return group names, and therefore
cannot change the group names. Each groups/v1 transform
must return the new groups list (list of strings), which
can be the same as the old groups list. Transformations
of type groups/v1 do not return usernames, and therefore
cannot change the usernames. After each expression, the
new (potentially changed) username or groups get passed
to the following expression. \n Any compilation or static
type-checking failure of any expression will cause an
error status on the FederationDomain. During an authentication
attempt, any unexpected runtime evaluation errors (e.g.
division by zero) cause the authentication attempt to
fail. When all expressions evaluate successfully, then
the (potentially changed) username and group names have
been decided for that authentication attempt."
description: |-
Expressions are an optional list of transforms and policies to be executed in the order given during every
authentication attempt, including during every session refresh.
Each is a CEL expression. It may use the basic CEL language as defined in
https://github.com/google/cel-spec/blob/master/doc/langdef.md plus the CEL string extensions defined in
https://github.com/google/cel-go/tree/master/ext#strings.
The username and groups extracted from the identity provider, and the constants defined in this CR, are
available as variables in all expressions. The username is provided via a variable called `username` and
the list of group names is provided via a variable called `groups` (which may be an empty list).
Each user-provided constants is provided via a variable named `strConst.varName` for string constants
and `strListConst.varName` for string list constants.
The only allowed types for expressions are currently policy/v1, username/v1, and groups/v1.
Each policy/v1 must return a boolean, and when it returns false, no more expressions from the list are evaluated
and the authentication attempt is rejected.
Transformations of type policy/v1 do not return usernames or group names, and therefore cannot change the
username or group names.
Each username/v1 transform must return the new username (a string), which can be the same as the old username.
Transformations of type username/v1 do not return group names, and therefore cannot change the group names.
Each groups/v1 transform must return the new groups list (list of strings), which can be the same as the old
groups list.
Transformations of type groups/v1 do not return usernames, and therefore cannot change the usernames.
After each expression, the new (potentially changed) username or groups get passed to the following expression.
Any compilation or static type-checking failure of any expression will cause an error status on the FederationDomain.
During an authentication attempt, any unexpected runtime evaluation errors (e.g. division by zero) cause the
authentication attempt to fail. When all expressions evaluate successfully, then the (potentially changed) username
and group names have been decided for that authentication attempt.
items:
description: FederationDomainTransformsExpression defines
a transform expression.
@@ -280,10 +257,9 @@ spec:
minLength: 1
type: string
message:
description: Message is only used when Type is policy/v1.
It defines an error message to be used when the
policy rejects an authentication attempt. When empty,
a default message will be used.
description: |-
Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects
an authentication attempt. When empty, a default message will be used.
type: string
type:
description: Type determines the type of the expression.
@@ -305,14 +281,16 @@ spec:
type: object
type: array
issuer:
description: "Issuer is the OIDC Provider's issuer, per the OIDC Discovery
Metadata document, as well as the identifier that it will use for
the iss claim in issued JWTs. This field will also be used as the
base URL for any endpoints used by the OIDC Provider (e.g., if your
issuer is https://example.com/foo, then your authorization endpoint
will look like https://example.com/foo/some/path/to/auth/endpoint).
\n See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3
for more information."
description: |-
Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
identifier that it will use for the iss claim in issued JWTs. This field will also be used as
the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is
https://example.com/foo, then your authorization endpoint will look like
https://example.com/foo/some/path/to/auth/endpoint).
See
https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
minLength: 1
type: string
tls:
@@ -320,26 +298,28 @@ spec:
Security (TLS) configuration for the FederationDomain.
properties:
secretName:
description: "SecretName is an optional name of a Secret in the
same namespace, of type `kubernetes.io/tls`, which contains
the TLS serving certificate for the HTTPS endpoints served by
this FederationDomain. When provided, the TLS Secret named here
must contain keys named `tls.crt` and `tls.key` that contain
the certificate and private key to use for TLS. \n Server Name
Indication (SNI) is an extension to the Transport Layer Security
(TLS) supported by all major browsers. \n SecretName is required
if you would like to use different TLS certificates for issuers
of different hostnames. SNI requests do not include port numbers,
so all issuers with the same DNS hostname must use the same
SecretName value even if they have different port numbers. \n
SecretName is not required when you would like to use only the
HTTP endpoints (e.g. when the HTTP listener is configured to
listen on loopback interfaces or UNIX domain sockets for traffic
from a service mesh sidecar). It is also not required when you
would like all requests to this OIDC Provider's HTTPS endpoints
to use the default TLS certificate, which is configured elsewhere.
\n When your Issuer URL's host is an IP address, then this field
is ignored. SNI does not work for IP addresses."
description: |-
SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
the TLS serving certificate for the HTTPS endpoints served by this FederationDomain. When provided, the TLS Secret
named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
SecretName value even if they have different port numbers.
SecretName is not required when you would like to use only the HTTP endpoints (e.g. when the HTTP listener is
configured to listen on loopback interfaces or UNIX domain sockets for traffic from a service mesh sidecar).
It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
type: string
type: object
required:
@@ -353,42 +333,42 @@ spec:
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -402,11 +382,12 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -434,46 +415,55 @@ spec:
secrets.
properties:
jwks:
description: JWKS holds the name of the corev1.Secret in which
this OIDC Provider's signing/verification keys are stored. If
it is empty, then the signing/verification keys are either unknown
or they don't exist.
description: |-
JWKS holds the name of the corev1.Secret in which this OIDC Provider's signing/verification keys are
stored. If it is empty, then the signing/verification keys are either unknown or they don't
exist.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
stateEncryptionKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for encrypting state parameters
is stored.
description: |-
StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
encrypting state parameters is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
stateSigningKey:
description: StateSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing state parameters
is stored.
description: |-
StateSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
signing state parameters is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic
tokenSigningKey:
description: TokenSigningKey holds the name of the corev1.Secret
in which this OIDC Provider's key for signing tokens is stored.
description: |-
TokenSigningKey holds the name of the corev1.Secret in which this OIDC Provider's key for
signing tokens is stored.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?
type: string
type: object
x-kubernetes-map-type: atomic

152
deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev
@@ -35,14 +35,19 @@ spec:
description: OIDCClient describes the configuration of an OIDC client.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -50,17 +55,19 @@ spec:
description: Spec of the OIDC client.
properties:
allowedGrantTypes:
description: "allowedGrantTypes is a list of the allowed grant_type
param values that should be accepted during OIDC flows with this
client. \n Must only contain the following values: - authorization_code:
allows the client to perform the authorization code grant flow,
i.e. allows the webapp to authenticate users. This grant must always
be listed. - refresh_token: allows the client to perform refresh
grants for the user to extend the user's session. This grant must
be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange:
allows the client to perform RFC8693 token exchange, which is a
step in the process to be able to get a cluster credential for the
user. This grant must be listed if allowedScopes lists pinniped:request-audience."
description: |-
allowedGrantTypes is a list of the allowed grant_type param values that should be accepted during OIDC flows with this
client.
Must only contain the following values:
- authorization_code: allows the client to perform the authorization code grant flow, i.e. allows the webapp to
authenticate users. This grant must always be listed.
- refresh_token: allows the client to perform refresh grants for the user to extend the user's session.
This grant must be listed if allowedScopes lists offline_access.
- urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
which is a step in the process to be able to get a cluster credential for the user.
This grant must be listed if allowedScopes lists pinniped:request-audience.
items:
enum:
- authorization_code
@@ -71,12 +78,11 @@ spec:
type: array
x-kubernetes-list-type: set
allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this
client. Any other uris will be rejected. Must be a URI with the
https scheme, unless the hostname is 127.0.0.1 or ::1 which may
use the http scheme. Port numbers are not required for 127.0.0.1
or ::1 and are ignored when checking for a matching redirect_uri.
description: |-
allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
client. Any other uris will be rejected.
Must be a URI with the https scheme, unless the hostname is 127.0.0.1 or ::1 which may use the http scheme.
Port numbers are not required for 127.0.0.1 or ::1 and are ignored when checking for a matching redirect_uri.
items:
pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/
type: string
@@ -84,27 +90,24 @@ spec:
type: array
x-kubernetes-list-type: set
allowedScopes:
description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client.
\n Must only contain the following values: - openid: The client
is allowed to request ID tokens. ID tokens only include the required
claims by default (iss, sub, aud, exp, iat). This scope must always
be listed. - offline_access: The client is allowed to request an
initial refresh token during the authorization code grant flow.
This scope must be listed if allowedGrantTypes lists refresh_token.
- pinniped:request-audience: The client is allowed to request a
new audience value during a RFC8693 token exchange, which is a step
in the process to be able to get a cluster credential for the user.
openid, username and groups scopes must be listed when this scope
is present. This scope must be listed if allowedGrantTypes lists
urn:ietf:params:oauth:grant-type:token-exchange. - username: The
client is allowed to request that ID tokens contain the user's username.
Without the username scope being requested and allowed, the ID token
will not contain the user's username. - groups: The client is allowed
to request that ID tokens contain the user's group membership, if
their group membership is discoverable by the Supervisor. Without
the groups scope being requested and allowed, the ID token will
not contain groups."
description: |-
allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client.
Must only contain the following values:
- openid: The client is allowed to request ID tokens. ID tokens only include the required claims by default (iss, sub, aud, exp, iat).
This scope must always be listed.
- offline_access: The client is allowed to request an initial refresh token during the authorization code grant flow.
This scope must be listed if allowedGrantTypes lists refresh_token.
- pinniped:request-audience: The client is allowed to request a new audience value during a RFC8693 token exchange,
which is a step in the process to be able to get a cluster credential for the user.
openid, username and groups scopes must be listed when this scope is present.
This scope must be listed if allowedGrantTypes lists urn:ietf:params:oauth:grant-type:token-exchange.
- username: The client is allowed to request that ID tokens contain the user's username.
Without the username scope being requested and allowed, the ID token will not contain the user's username.
- groups: The client is allowed to request that ID tokens contain the user's group membership,
if their group membership is discoverable by the Supervisor.
Without the groups scope being requested and allowed, the ID token will not contain groups.
items:
enum:
- openid
@@ -129,42 +132,42 @@ spec:
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -178,11 +181,12 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string

294
deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
@@ -35,14 +35,19 @@ spec:
an upstream Microsoft Active Directory identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -50,19 +55,16 @@ spec:
description: Spec for configuring the identity provider.
properties:
bind:
description: Bind contains the configuration for how to provide access
credentials during an initial bind to the ActiveDirectory server
to be allowed to perform searches and binds to validate a user's
credentials during a user's authentication attempt.
description: |-
Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the username and password for an
Active Directory bind user. This account will be used to perform
LDAP searches. The Secret should be of type "kubernetes.io/basic-auth"
which includes "username" and "password" keys. The username
value should be the full dn (distinguished name) of your bind
account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
description: |-
SecretName contains the name of a namespace-local Secret object that provides the username and
password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
The password must be non-empty.
minLength: 1
type: string
@@ -74,87 +76,85 @@ spec:
for a user's group membership in ActiveDirectory.
properties:
attributes:
description: Attributes specifies how the group's information
should be read from each ActiveDirectory entry which was found
as the result of the group search.
description: |-
Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
the result of the group search.
properties:
groupName:
description: GroupName specifies the name of the attribute
in the Active Directory entries whose value shall become
a group name in the user's list of groups after a successful
authentication. The value of this field is case-sensitive
and must match the case of the attribute name returned by
the ActiveDirectory server in the user's entry. E.g. "cn"
for common name. Distinguished names can be used by specifying
lower-case "dn". Optional. When not specified, this defaults
to a custom field that looks like "sAMAccountName@domain",
where domain is constructed from the domain components of
the group DN.
description: |-
GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
in the user's list of groups after a successful authentication.
The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
where domain is constructed from the domain components of the group DN.
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be
used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
Optional, when not specified it will be based on the result
of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
description: |-
Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
"ou=groups,dc=example,dc=com".
Optional, when not specified it will be based on the result of a query for the defaultNamingContext
(see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
The default behavior searches your entire domain for groups.
It may make sense to specify a subtree as a search base if you
wish to exclude some groups for security reasons or to make
searches faster.
It may make sense to specify a subtree as a search base if you wish to exclude some groups
for security reasons or to make searches faster.
type: string
filter:
description: Filter is the ActiveDirectory search filter which
should be applied when searching for groups for a user. The
pattern "{}" must occur in the filter at least once and will
be dynamically replaced by the value of an attribute of the
user entry found as a result of the user search. Which attribute's
value is used to replace the placeholder(s) depends on the value
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
description: |-
Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
value of an attribute of the user entry found as a result of the user search. Which attribute's
value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
This searches nested groups by default. Note that nested group
search can be slow for some Active Directory servers. To disable
it, you can set the filter to "(&(objectClass=group)(member={})"
Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
Optional. When not specified, the default will act as if the filter were specified as
"(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
This searches nested groups by default.
Note that nested group search can be slow for some Active Directory servers. To disable it,
you can set the filter to
"(&(objectClass=group)(member={})"
type: string
skipGroupRefresh:
description: "The user's group membership is refreshed as they
interact with the supervisor to obtain new credentials (as their
old credentials expire). This allows group membership changes
to be quickly reflected into Kubernetes clusters. Since group
membership is often used to bind authorization policies, it
is important to keep the groups observed in Kubernetes clusters
in-sync with the identity provider. \n In some environments,
frequent group membership queries may result in a significant
performance impact on the identity provider and/or the supervisor.
The best approach to handle performance impacts is to tweak
the group query to be more performant, for example by disabling
nested group search or by using a more targeted group search
base. \n If the group search query cannot be made performant
and you are willing to have group memberships remain static
for approximately a day, then set skipGroupRefresh to true.
\ This is an insecure configuration as authorization policies
that are bound to group membership will not notice if a user
has been removed from a particular group until their next login.
\n This is an experimental feature that may be removed or significantly
altered in the future. Consumers of this configuration should
carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed."
description: |-
The user's group membership is refreshed as they interact with the supervisor
to obtain new credentials (as their old credentials expire). This allows group
membership changes to be quickly reflected into Kubernetes clusters. Since
group membership is often used to bind authorization policies, it is important
to keep the groups observed in Kubernetes clusters in-sync with the identity
provider.
In some environments, frequent group membership queries may result in a
significant performance impact on the identity provider and/or the supervisor.
The best approach to handle performance impacts is to tweak the group query
to be more performant, for example by disabling nested group search or by
using a more targeted group search base.
If the group search query cannot be made performant and you are willing to
have group memberships remain static for approximately a day, then set
skipGroupRefresh to true. This is an insecure configuration as authorization
policies that are bound to group membership will not notice if a user has
been removed from a particular group until their next login.
This is an experimental feature that may be removed or significantly altered
in the future. Consumers of this configuration should carefully read all
release notes before upgrading to ensure that the meaning of this field has
not changed.
type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
description: |-
UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
For example, specifying "uid" as the UserAttributeForFilter while specifying
"&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object
host:
@@ -176,49 +176,46 @@ spec:
a user by name in Active Directory.
properties:
attributes:
description: Attributes specifies how the user's information should
be read from the ActiveDirectory entry which was found as the
result of the user search.
description: |-
Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
the result of the user search.
properties:
uid:
description: UID specifies the name of the attribute in the
ActiveDirectory entry which whose value shall be used to
uniquely identify the user within this ActiveDirectory provider
after a successful authentication. Optional, when empty
this defaults to "objectGUID".
description: |-
UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
identify the user within this ActiveDirectory provider after a successful authentication.
Optional, when empty this defaults to "objectGUID".
type: string
username:
description: Username specifies the name of the attribute
in Active Directory entry whose value shall become the username
of the user after a successful authentication. Optional,
when empty this defaults to "userPrincipalName".
description: |-
Username specifies the name of the attribute in Active Directory entry whose value shall become the username
of the user after a successful authentication.
Optional, when empty this defaults to "userPrincipalName".
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be
used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
Optional, when not specified it will be based on the result
of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
description: |-
Base is the dn (distinguished name) that should be used as the search base when searching for users.
E.g. "ou=users,dc=example,dc=com".
Optional, when not specified it will be based on the result of a query for the defaultNamingContext
(see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
The default behavior searches your entire domain for users.
It may make sense to specify a subtree as a search base if you
wish to exclude some users or to make searches faster.
It may make sense to specify a subtree as a search base if you wish to exclude some users
or to make searches faster.
type: string
filter:
description: Filter is the search filter which should be applied
when searching for users. The pattern "{}" must occur in the
filter at least once and will be dynamically replaced by the
username for which the search is being run. E.g. "mail={}" or
"&(objectClass=person)(uid={})". For more information about
LDAP filters, see https://ldap.com/ldap-filters. Note that the
dn (distinguished name) is not an attribute of an entry, so
"dn={}" cannot be used. Optional. When not specified, the default
will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
This means that the user is a person, is not a computer, the
sAMAccountType is for a normal user account, and is not shown
in advanced view only (which would likely mean its a system
created service account with advanced permissions). Also, either
the sAMAccountName, the userPrincipalName, or the mail attribute
matches the input username.
description: |-
Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
in the filter at least once and will be dynamically replaced by the username for which the search is being run.
E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
Optional. When not specified, the default will be
'(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
and is not shown in advanced view only
(which would likely mean its a system created service account with advanced permissions).
Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
type: string
type: object
required:
@@ -232,42 +229,42 @@ spec:
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -281,11 +278,12 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string

284
deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
@@ -31,18 +31,24 @@ spec:
name: v1alpha1
schema:
openAPIV3Schema:
description: LDAPIdentityProvider describes the configuration of an upstream
Lightweight Directory Access Protocol (LDAP) identity provider.
description: |-
LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access
Protocol (LDAP) identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -50,20 +56,17 @@ spec:
description: Spec for configuring the identity provider.
properties:
bind:
description: Bind contains the configuration for how to provide access
credentials during an initial bind to the LDAP server to be allowed
to perform searches and binds to validate a user's credentials during
a user's authentication attempt.
description: |-
Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the username and password for an
LDAP bind user. This account will be used to perform LDAP searches.
The Secret should be of type "kubernetes.io/basic-auth" which
includes "username" and "password" keys. The username value
should be the full dn (distinguished name) of your bind account,
e.g. "cn=bind-account,ou=users,dc=example,dc=com". The password
must be non-empty.
description: |-
SecretName contains the name of a namespace-local Secret object that provides the username and
password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
The password must be non-empty.
minLength: 1
type: string
required:
@@ -74,79 +77,75 @@ spec:
for a user's group membership in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the group's information
should be read from each LDAP entry which was found as the result
of the group search.
description: |-
Attributes specifies how the group's information should be read from each LDAP entry which was found as
the result of the group search.
properties:
groupName:
description: GroupName specifies the name of the attribute
in the LDAP entries whose value shall become a group name
description: |-
GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
in the user's list of groups after a successful authentication.
The value of this field is case-sensitive and must match
the case of the attribute name returned by the LDAP server
in the user's entry. E.g. "cn" for common name. Distinguished
names can be used by specifying lower-case "dn". Optional.
When not specified, the default will act as if the GroupName
were specified as "dn" (distinguished name).
The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be
used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
When not specified, no group search will be performed and authenticated
users will not belong to any groups from the LDAP provider.
Also, when not specified, the values of Filter, UserAttributeForFilter,
Attributes, and SkipGroupRefresh are ignored.
description: |-
Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
"ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
the values of Filter, UserAttributeForFilter, Attributes, and SkipGroupRefresh are ignored.
type: string
filter:
description: Filter is the LDAP search filter which should be
applied when searching for groups for a user. The pattern "{}"
must occur in the filter at least once and will be dynamically
replaced by the value of an attribute of the user entry found
as a result of the user search. Which attribute's value is used
to replace the placeholder(s) depends on the value of UserAttributeForFilter.
description: |-
Filter is the LDAP search filter which should be applied when searching for groups for a user.
The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
value of an attribute of the user entry found as a result of the user search. Which attribute's
value is used to replace the placeholder(s) depends on the value of UserAttributeForFilter.
For more information about LDAP filters, see https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of
an entry, so "dn={}" cannot be used. Optional. When not specified,
the default will act as if the Filter were specified as "member={}".
Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
Optional. When not specified, the default will act as if the Filter were specified as "member={}".
type: string
skipGroupRefresh:
description: "The user's group membership is refreshed as they
interact with the supervisor to obtain new credentials (as their
old credentials expire). This allows group membership changes
to be quickly reflected into Kubernetes clusters. Since group
membership is often used to bind authorization policies, it
is important to keep the groups observed in Kubernetes clusters
in-sync with the identity provider. \n In some environments,
frequent group membership queries may result in a significant
performance impact on the identity provider and/or the supervisor.
The best approach to handle performance impacts is to tweak
the group query to be more performant, for example by disabling
nested group search or by using a more targeted group search
base. \n If the group search query cannot be made performant
and you are willing to have group memberships remain static
for approximately a day, then set skipGroupRefresh to true.
\ This is an insecure configuration as authorization policies
that are bound to group membership will not notice if a user
has been removed from a particular group until their next login.
\n This is an experimental feature that may be removed or significantly
altered in the future. Consumers of this configuration should
carefully read all release notes before upgrading to ensure
that the meaning of this field has not changed."
description: |-
The user's group membership is refreshed as they interact with the supervisor
to obtain new credentials (as their old credentials expire). This allows group
membership changes to be quickly reflected into Kubernetes clusters. Since
group membership is often used to bind authorization policies, it is important
to keep the groups observed in Kubernetes clusters in-sync with the identity
provider.
In some environments, frequent group membership queries may result in a
significant performance impact on the identity provider and/or the supervisor.
The best approach to handle performance impacts is to tweak the group query
to be more performant, for example by disabling nested group search or by
using a more targeted group search base.
If the group search query cannot be made performant and you are willing to
have group memberships remain static for approximately a day, then set
skipGroupRefresh to true. This is an insecure configuration as authorization
policies that are bound to group membership will not notice if a user has
been removed from a particular group until their next login.
This is an experimental feature that may be removed or significantly altered
in the future. Consumers of this configuration should carefully read all
release notes before upgrading to ensure that the meaning of this field has
not changed.
type: boolean
userAttributeForFilter:
description: UserAttributeForFilter specifies which attribute's
value from the user entry found as a result of the user search
will be used to replace the "{}" placeholder(s) in the group
search Filter. For example, specifying "uid" as the UserAttributeForFilter
while specifying "&(objectClass=posixGroup)(memberUid={})" as
the Filter would search for groups by replacing the "{}" placeholder
in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn"
were specified. For example, leaving UserAttributeForFilter
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
as the Filter would search for groups by replacing the "{}"
placeholder(s) with the dn (distinguished name) of the user.
description: |-
UserAttributeForFilter specifies which attribute's value from the user entry found as a result of
the user search will be used to replace the "{}" placeholder(s) in the group search Filter.
For example, specifying "uid" as the UserAttributeForFilter while specifying
"&(objectClass=posixGroup)(memberUid={})" as the Filter would search for groups by replacing
the "{}" placeholder in the Filter with the value of the user's "uid" attribute.
Optional. When not specified, the default will act as if "dn" were specified. For example, leaving
UserAttributeForFilter unspecified while specifying "&(objectClass=groupOfNames)(member={})" as the Filter
would search for groups by replacing the "{}" placeholder(s) with the dn (distinguished name) of the user.
type: string
type: object
host:
@@ -168,54 +167,46 @@ spec:
a user by name in the LDAP provider.
properties:
attributes:
description: Attributes specifies how the user's information should
be read from the LDAP entry which was found as the result of
the user search.
description: |-
Attributes specifies how the user's information should be read from the LDAP entry which was found as
the result of the user search.
properties:
uid:
description: UID specifies the name of the attribute in the
LDAP entry which whose value shall be used to uniquely identify
the user within this LDAP provider after a successful authentication.
E.g. "uidNumber" or "objectGUID". The value of this field
is case-sensitive and must match the case of the attribute
name returned by the LDAP server in the user's entry. Distinguished
names can be used by specifying lower-case "dn".
description: |-
UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
minLength: 1
type: string
username:
description: Username specifies the name of the attribute
in the LDAP entry whose value shall become the username
of the user after a successful authentication. This would
typically be the same attribute name used in the user search
filter, although it can be different. E.g. "mail" or "uid"
or "userPrincipalName". The value of this field is case-sensitive
and must match the case of the attribute name returned by
the LDAP server in the user's entry. Distinguished names
can be used by specifying lower-case "dn". When this field
is set to "dn" then the LDAPIdentityProviderUserSearch's
Filter field cannot be blank, since the default value of
"dn={}" would not work.
description: |-
Username specifies the name of the attribute in the LDAP entry whose value shall become the username
of the user after a successful authentication. This would typically be the same attribute name used in
the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
value of "dn={}" would not work.
minLength: 1
type: string
type: object
base:
description: Base is the dn (distinguished name) that should be
used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
description: |-
Base is the dn (distinguished name) that should be used as the search base when searching for users.
E.g. "ou=users,dc=example,dc=com".
minLength: 1
type: string
filter:
description: Filter is the LDAP search filter which should be
applied when searching for users. The pattern "{}" must occur
in the filter at least once and will be dynamically replaced
by the username for which the search is being run. E.g. "mail={}"
or "&(objectClass=person)(uid={})". For more information about
LDAP filters, see https://ldap.com/ldap-filters. Note that the
dn (distinguished name) is not an attribute of an entry, so
"dn={}" cannot be used. Optional. When not specified, the default
will act as if the Filter were specified as the value from Attributes.Username
appended by "={}". When the Attributes.Username is set to "dn"
then the Filter must be explicitly specified, since the default
value of "dn={}" would not work.
description: |-
Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
in the filter at least once and will be dynamically replaced by the username for which the search is being run.
E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
https://ldap.com/ldap-filters.
Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
Optional. When not specified, the default will act as if the Filter were specified as the value from
Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
explicitly specified, since the default value of "dn={}" would not work.
type: string
type: object
required:
@@ -229,42 +220,42 @@ spec:
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -278,11 +269,12 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string

316
deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
controller-gen.kubebuilder.io/version: v0.14.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
@@ -35,14 +35,19 @@ spec:
OpenID Connect identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -50,39 +55,29 @@ spec:
description: Spec for configuring the identity provider.
properties:
authorizationConfig:
description: AuthorizationConfig holds information about how to form
the OAuth2 authorization request parameters to be used with this
OIDC identity provider.
description: |-
AuthorizationConfig holds information about how to form the OAuth2 authorization request
parameters to be used with this OIDC identity provider.
properties:
additionalAuthorizeParameters:
description: additionalAuthorizeParameters are extra query parameters
that should be included in the authorize request to your OIDC
provider in the authorization request during an OIDC Authorization
Code Flow. By default, no extra parameters are sent. The standard
parameters that will be sent are "response_type", "scope", "client_id",
"state", "nonce", "code_challenge", "code_challenge_method",
and "redirect_uri". These parameters cannot be included in this
setting. Additionally, the "hd" parameter cannot be included
in this setting at this time. The "hd" parameter is used by
Google's OIDC provider to provide a hint as to which "hosted
domain" the user should use during login. However, Pinniped
does not yet support validating the hosted domain in the resulting
ID token, so it is not yet safe to use this feature of Google's
OIDC provider with Pinniped. This setting does not influence
the parameters sent to the token endpoint in the Resource Owner
Password Credentials Grant. The Pinniped Supervisor requires
that your OIDC provider returns refresh tokens to the Supervisor
from the authorization flows. Some OIDC providers may require
a certain value for the "prompt" parameter in order to properly
request refresh tokens. See the documentation of your OIDC provider's
authorization endpoint for its requirements for what to include
in the request in order to receive a refresh token in the response,
if anything. If your provider requires the prompt parameter
to request a refresh token, then include it here. Also note
that most providers also require a certain scope to be requested
in order to receive refresh tokens. See the additionalScopes
setting for more information about using scopes to request refresh
tokens.
description: |-
additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
"state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time.
The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user
should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting
ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped.
This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password
Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the
Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt"
parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's
authorization endpoint for its requirements for what to include in the request in order to receive a refresh
token in the response, if anything. If your provider requires the prompt parameter to request a refresh token,
then include it here. Also note that most providers also require a certain scope to be requested in order to
receive refresh tokens. See the additionalScopes setting for more information about using scopes to request
refresh tokens.
items:
description: Parameter is a key/value pair which represents
a parameter in an HTTP request.
@@ -102,139 +97,109 @@ spec:
- name
x-kubernetes-list-type: map
additionalScopes:
description: 'additionalScopes are the additional scopes that
will be requested from your OIDC provider in the authorization
request during an OIDC Authorization Code Flow and in the token
request during a Resource Owner Password Credentials Grant.
Note that the "openid" scope will always be requested regardless
of the value in this setting, since it is always required according
to the OIDC spec. By default, when this field is not set, the
Supervisor will request the following scopes: "openid", "offline_access",
"email", and "profile". See https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
for a description of the "profile" and "email" scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for a description of the "offline_access" scope. This default
value may change in future versions of Pinniped as the standard
evolves, or as common patterns used by providers who implement
the standard in the ecosystem evolve. By setting this list to
anything other than an empty list, you are overriding the default
value, so you may wish to include some of "offline_access",
"email", and "profile" in your override list. If you do not
want any of these scopes to be requested, you may set this list
to contain only "openid". Some OIDC providers may also require
a scope to get access to the user''s group membership, in which
case you may wish to include it in this list. Sometimes the
scope to request the user''s group membership is called "groups",
but unfortunately this is not specified in the OIDC standard.
Generally speaking, you should include any scopes required to
cause the appropriate claims to be the returned by your OIDC
provider in the ID token or userinfo endpoint results for those
claims which you would like to use in the oidcClaims settings
to determine the usernames and group memberships of your Kubernetes
users. See your OIDC provider''s documentation for more information
about what scopes are available to request claims. Additionally,
the Pinniped Supervisor requires that your OIDC provider returns
refresh tokens to the Supervisor from these authorization flows.
For most OIDC providers, the scope required to receive refresh
tokens will be "offline_access". See the documentation of your
OIDC provider''s authorization and token endpoints for its requirements
for what to include in the request in order to receive a refresh
token in the response, if anything. Note that it may be safe
to send "offline_access" even to providers which do not require
it, since the provider may ignore scopes that it does not understand
or require (see https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).
In the unusual case that you must avoid sending the "offline_access"
scope, then you must override the default value of this setting.
This is required if your OIDC provider will reject the request
when it includes "offline_access" (e.g. GitLab''s OIDC provider).'
description: |-
additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request
the following scopes: "openid", "offline_access", "email", and "profile". See
https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email"
scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the
"offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves,
or as common patterns used by providers who implement the standard in the ecosystem evolve.
By setting this list to anything other than an empty list, you are overriding the
default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list.
If you do not want any of these scopes to be requested, you may set this list to contain only "openid".
Some OIDC providers may also require a scope to get access to the user's group membership, in which case you
may wish to include it in this list. Sometimes the scope to request the user's group membership is called
"groups", but unfortunately this is not specified in the OIDC standard.
Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by
your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in
the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See
your OIDC provider's documentation for more information about what scopes are available to request claims.
Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor
from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be
"offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its
requirements for what to include in the request in order to receive a refresh token in the response, if anything.
Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider
may ignore scopes that it does not understand or require (see
https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
"offline_access" scope, then you must override the default value of this setting. This is required if your OIDC
provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider).
items:
type: string
type: array
allowPasswordGrant:
description: allowPasswordGrant, when true, will allow the use
of OAuth 2.0's Resource Owner Password Credentials Grant (see
https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to
authenticate to the OIDC provider using a username and password
without a web browser, in addition to the usual browser-based
OIDC Authorization Code Flow. The Resource Owner Password Credentials
Grant is not officially part of the OIDC specification, so it
may not be supported by your OIDC provider. If your OIDC provider
supports returning ID tokens from a Resource Owner Password
Credentials Grant token request, then you can choose to set
this field to true. This will allow end users to choose to present
their username and password to the kubectl CLI (using the Pinniped
plugin) to authenticate to the cluster, without using a web
browser to log in as is customary in OIDC Authorization Code
Flow. This may be convenient for users, especially for identities
from your OIDC provider which are not intended to represent
a human actor, such as service accounts performing actions in
a CI/CD environment. Even if your OIDC provider supports it,
you may wish to disable this behavior by setting this field
to false when you prefer to only allow users of this OIDCIdentityProvider
to log in via the browser-based OIDC Authorization Code Flow.
Using the Resource Owner Password Credentials Grant means that
the Pinniped CLI and Pinniped Supervisor will directly handle
your end users' passwords (similar to LDAPIdentityProvider),
and you will not be able to require multi-factor authentication
or use the other web-based login features of your OIDC provider
during Resource Owner Password Credentials Grant logins. allowPasswordGrant
defaults to false.
description: |-
allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
(see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
(similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
allowPasswordGrant defaults to false.
type: boolean
type: object
claims:
description: Claims provides the names of token claims that will be
used when inspecting an identity from this OIDC identity provider.
description: |-
Claims provides the names of token claims that will be used when inspecting an identity from
this OIDC identity provider.
properties:
additionalClaimMappings:
additionalProperties:
type: string
description: AdditionalClaimMappings allows for additional arbitrary
upstream claim values to be mapped into the "additionalClaims"
claim of the ID tokens generated by the Supervisor. This should
be specified as a map of new claim names as the keys, and upstream
claim names as the values. These new claim names will be nested
under the top-level "additionalClaims" claim in ID tokens generated
by the Supervisor when this OIDCIdentityProvider was used for
user authentication. These claims will be made available to
all clients. This feature is not required to use the Supervisor
to provide authentication for Kubernetes clusters, but can be
used when using the Supervisor for other authentication purposes.
When this map is empty or the upstream claims are not available,
the "additionalClaims" claim will be excluded from the ID tokens
generated by the Supervisor.
description: |-
AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
"additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
type: object
groups:
description: Groups provides the name of the ID token claim or
userinfo endpoint response claim that will be used to ascertain
the groups to which an identity belongs. By default, the identities
will not include any group memberships when this setting is
not configured.
description: |-
Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
the groups to which an identity belongs. By default, the identities will not include any group memberships when
this setting is not configured.
type: string
username:
description: Username provides the name of the ID token claim
or userinfo endpoint response claim that will be used to ascertain
an identity's username. When not set, the username will be an
automatically constructed unique string which will include the
issuer URL of your OIDC provider along with the value of the
"sub" (subject) claim from the ID token.
description: |-
Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
ascertain an identity's username. When not set, the username will be an automatically constructed unique string
which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
the ID token.
type: string
type: object
client:
description: OIDCClient contains OIDC client information to be used
used with this OIDC identity provider.
description: |-
OIDCClient contains OIDC client information to be used used with this OIDC identity
provider.
properties:
secretName:
description: SecretName contains the name of a namespace-local
Secret object that provides the clientID and clientSecret for
an OIDC client. If only the SecretName is specified in an OIDCClient
struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client"
with keys "clientID" and "clientSecret".
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys
"clientID" and "clientSecret".
type: string
required:
- secretName
type: object
issuer:
description: Issuer is the issuer URL of this OIDC identity provider,
i.e., where to fetch /.well-known/openid-configuration.
description: |-
Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
/.well-known/openid-configuration.
minLength: 1
pattern: ^https://
type: string
@@ -259,42 +224,42 @@ spec:
current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -308,11 +273,12 @@ spec:
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string

4
deploy/supervisor/values.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ def validate_strings_map(obj):
@@ -52,7 +52,7 @@ replicas: 2
#@schema/title "Image repo"
#@schema/desc "The repository for the Supervisor container image."
#@schema/validation min_len=1
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
image_repo: ghcr.io/vmware-tanzu/pinniped/pinniped-server
#@schema/title "Image digest"
#@schema/desc "The image digest for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."

13
generated/1.21/README.adoc generated
View File

@@ -46,6 +46,18 @@ JWTAuthenticator describes the configuration of a JWT authenticator.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorphase"]
==== JWTAuthenticatorPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorstatus[$$JWTAuthenticatorStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorspec"]
==== JWTAuthenticatorSpec
@@ -80,6 +92,7 @@ Status of a JWT authenticator.
|===
| Field | Description
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#condition-v1-meta[$$Condition$$] array__ | Represents the observations of the authenticator's current state.
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-authentication-v1alpha1-jwtauthenticatorphase[$$JWTAuthenticatorPhase$$]__ | Phase summarizes the overall status of the JWTAuthenticator.
|===

19
generated/1.21/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated
View File

@@ -1,10 +1,23 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
type JWTAuthenticatorPhase string
const (
// JWTAuthenticatorPhasePending is the default phase for newly-created JWTAuthenticator resources.
JWTAuthenticatorPhasePending JWTAuthenticatorPhase = "Pending"
// JWTAuthenticatorPhaseReady is the phase for an JWTAuthenticator resource in a healthy state.
JWTAuthenticatorPhaseReady JWTAuthenticatorPhase = "Ready"
// JWTAuthenticatorPhaseError is the phase for an JWTAuthenticator in an unhealthy state.
JWTAuthenticatorPhaseError JWTAuthenticatorPhase = "Error"
)
// Status of a JWT authenticator.
type JWTAuthenticatorStatus struct {
// Represents the observations of the authenticator's current state.
@@ -13,6 +26,10 @@ type JWTAuthenticatorStatus struct {
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
// Phase summarizes the overall status of the JWTAuthenticator.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase JWTAuthenticatorPhase `json:"phase,omitempty"`
}
// Spec for configuring a JWT authenticator.

2
generated/1.21/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.conversion.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by conversion-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/identity/v1alpha1/zz_generated.defaults.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by defaulter-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/identity/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/login/v1alpha1/zz_generated.conversion.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by conversion-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/login/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/login/v1alpha1/zz_generated.defaults.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by defaulter-gen. DO NOT EDIT.

2
generated/1.21/apis/concierge/login/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/go.mod generated
View File

@@ -1,4 +1,4 @@
// This go.mod file is generated by ./hack/codegen.sh.
// This go.mod file is generated by ./hack/update.sh.
module go.pinniped.dev/generated/1.21/apis
go 1.13

2
generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.conversion.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by conversion-gen. DO NOT EDIT.

2
generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/supervisor/clientsecret/v1alpha1/zz_generated.defaults.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by defaulter-gen. DO NOT EDIT.

2
generated/1.21/apis/supervisor/clientsecret/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

2
generated/1.21/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by deepcopy-gen. DO NOT EDIT.

6
generated/1.21/apis/supervisor/oidc/types_supervisor_oidc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package oidc
@@ -29,6 +29,10 @@ const (
// IDTokenClaimSubject is name of the subject claim defined by the OIDC spec.
IDTokenClaimSubject = "sub"
// IDTokenSubClaimIDPNameQueryParam is the name of the query param used in the values of the "sub" claim
// in Supervisor-issued ID tokens to identify with which external identity provider the user authenticated.
IDTokenSubClaimIDPNameQueryParam = "idpName"
// IDTokenClaimAuthorizedParty is name of the authorized party claim defined by the OIDC spec.
IDTokenClaimAuthorizedParty = "azp"

2
generated/1.21/client/concierge/clientset/versioned/clientset.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/fake/clientset_generated.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/fake/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/fake/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/scheme/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/scheme/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/authentication_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_authentication_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_jwtauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/fake/fake_webhookauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/generated_expansion.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/jwtauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/authentication/v1alpha1/webhookauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/config_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/fake/fake_credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/config/v1alpha1/generated_expansion.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_identity_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/fake/fake_whoamirequest.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/generated_expansion.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/identity_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/identity/v1alpha1/whoamirequest.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_login_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/fake/fake_tokencredentialrequest.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/generated_expansion.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/login_client.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/clientset/versioned/typed/login/v1alpha1/tokencredentialrequest.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/authentication/interface.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/interface.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/jwtauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/authentication/v1alpha1/webhookauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/config/interface.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/config/v1alpha1/credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/config/v1alpha1/interface.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/factory.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/generic.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/informers/externalversions/internalinterfaces/factory_interfaces.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/listers/authentication/v1alpha1/expansion_generated.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/listers/authentication/v1alpha1/jwtauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/listers/authentication/v1alpha1/webhookauthenticator.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/listers/config/v1alpha1/credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/listers/config/v1alpha1/expansion_generated.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.

2
generated/1.21/client/concierge/openapi/zz_generated.openapi.go generated
View File

@@ -1,7 +1,7 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by openapi-gen. DO NOT EDIT.

6
generated/1.21/client/go.mod generated
View File

@@ -1,8 +1,10 @@
// This go.mod file is generated by ./hack/codegen.sh.
// This go.mod file is generated by ./hack/update.sh.
module go.pinniped.dev/generated/1.21/client
go 1.13
replace go.pinniped.dev/generated/1.21/apis => ../apis
require (
github.com/go-openapi/spec v0.19.3
go.pinniped.dev/generated/1.21/apis v0.0.0
@@ -10,5 +12,3 @@ require (
k8s.io/client-go v0.21.14
k8s.io/kube-openapi v0.0.0-20211110012726-3cc51fd1e909
)
replace go.pinniped.dev/generated/1.21/apis => ../apis

2
generated/1.21/client/supervisor/clientset/versioned/clientset.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/supervisor/clientset/versioned/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/supervisor/clientset/versioned/fake/clientset_generated.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/supervisor/clientset/versioned/fake/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/supervisor/clientset/versioned/fake/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

2
generated/1.21/client/supervisor/clientset/versioned/scheme/doc.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.

Some files were not shown because too many files have changed in this diff Show More