mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-30 01:22:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: mirrors:v0.30.0
Branches Tags
mirrors:main mirrors:dependabot/docker/dockerfiles/eks-deployer/ci/amazon/aws-cli-2.33.9 mirrors:dependabot/docker/dockerfiles/k8s-app-deployer/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner-beta/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner/ci/google/cloud-sdk-554.0.0-slim mirrors:ci mirrors:jtc/freeze-k8s-utils mirrors:jtc/add-a-bunch-of-groups mirrors:poc/AuditEventFrom_replacement mirrors:jtc/bump-to-k8s-0-34-0 mirrors:move_ci mirrors:upgrade_linter_may_2025 mirrors:jtc/bump-to-k8s-1-32-libs mirrors:jtc/backfill-test mirrors:jtc/warn-when-tokens-are-large mirrors:jtc/externally-configured-serving-certs mirrors:jtc/use-soft-memory-limit-1103 mirrors:poc/session_length mirrors:jtc/propose-opt-out-of-self-signed-cas mirrors:poc/kube_csr_api mirrors:release-0.12 mirrors:poc/client-side-logout mirrors:release-0.4
mirrors:v0.43.0 mirrors:v0.42.0 mirrors:v0.41.0 mirrors:v0.40.0 mirrors:v0.39.0 mirrors:v0.38.0 mirrors:v0.37.0 mirrors:v0.36.0 mirrors:v0.35.0 mirrors:v0.34.0 mirrors:v0.33.0 mirrors:v0.32.0 mirrors:v0.31.0 mirrors:v0.30.0 mirrors:v0.29.0 mirrors:v0.28.0 mirrors:v0.27.0 mirrors:v0.26.0 mirrors:v0.25.0 mirrors:v0.24.0 mirrors:v0.23.0 mirrors:v0.22.0 mirrors:v0.21.0 mirrors:v0.20.0 mirrors:v0.19.0 mirrors:v0.18.0 mirrors:v0.17.0 mirrors:v0.16.0 mirrors:v0.15.0 mirrors:v0.12.1 mirrors:v0.14.0 mirrors:v0.13.0 mirrors:v0.12.0 mirrors:v0.11.0 mirrors:v0.10.0 mirrors:v0.4.4 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.4.3 mirrors:v0.8.0 mirrors:v0.4.2 mirrors:v0.7.0 mirrors:v0.6.0 mirrors:v0.5.0 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.0
..
compare: mirrors:v0.31.0
Branches Tags
mirrors:main mirrors:dependabot/docker/dockerfiles/eks-deployer/ci/amazon/aws-cli-2.33.9 mirrors:dependabot/docker/dockerfiles/k8s-app-deployer/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner-beta/ci/google/cloud-sdk-554.0.0-slim mirrors:dependabot/docker/dockerfiles/integration-test-runner/ci/google/cloud-sdk-554.0.0-slim mirrors:ci mirrors:jtc/freeze-k8s-utils mirrors:jtc/add-a-bunch-of-groups mirrors:poc/AuditEventFrom_replacement mirrors:jtc/bump-to-k8s-0-34-0 mirrors:move_ci mirrors:upgrade_linter_may_2025 mirrors:jtc/bump-to-k8s-1-32-libs mirrors:jtc/backfill-test mirrors:jtc/warn-when-tokens-are-large mirrors:jtc/externally-configured-serving-certs mirrors:jtc/use-soft-memory-limit-1103 mirrors:poc/session_length mirrors:jtc/propose-opt-out-of-self-signed-cas mirrors:poc/kube_csr_api mirrors:release-0.12 mirrors:poc/client-side-logout mirrors:release-0.4
mirrors:v0.43.0 mirrors:v0.42.0 mirrors:v0.41.0 mirrors:v0.40.0 mirrors:v0.39.0 mirrors:v0.38.0 mirrors:v0.37.0 mirrors:v0.36.0 mirrors:v0.35.0 mirrors:v0.34.0 mirrors:v0.33.0 mirrors:v0.32.0 mirrors:v0.31.0 mirrors:v0.30.0 mirrors:v0.29.0 mirrors:v0.28.0 mirrors:v0.27.0 mirrors:v0.26.0 mirrors:v0.25.0 mirrors:v0.24.0 mirrors:v0.23.0 mirrors:v0.22.0 mirrors:v0.21.0 mirrors:v0.20.0 mirrors:v0.19.0 mirrors:v0.18.0 mirrors:v0.17.0 mirrors:v0.16.0 mirrors:v0.15.0 mirrors:v0.12.1 mirrors:v0.14.0 mirrors:v0.13.0 mirrors:v0.12.0 mirrors:v0.11.0 mirrors:v0.10.0 mirrors:v0.4.4 mirrors:v0.9.2 mirrors:v0.9.1 mirrors:v0.9.0 mirrors:v0.4.3 mirrors:v0.8.0 mirrors:v0.4.2 mirrors:v0.7.0 mirrors:v0.6.0 mirrors:v0.5.0 mirrors:v0.4.1 mirrors:v0.4.0 mirrors:v0.3.0 mirrors:v0.2.0 mirrors:v0.1.0

179 Commits
v0.30.0 ... v0.31.0

Author SHA1 Message Date
Ryan Richard
05fb8b75ef Merge pull request #1982 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-06-05 12:24:13 -05:00
Pinny
ee2aa9ce50 Bump dependencies 2024-06-05 13:00:42 +00:00
Ryan Richard
ca9560effb Merge pull request #1978 from vmware-tanzu/github_identity_provider 
Add GitHubIdentityProvider and support browser-based auth in the Pinniped Supervisor
 2024-06-04 10:26:46 -07:00
Ryan Richard
6b64a8a9c6 ran update.sh to update generated code 2024-06-03 16:48:57 -07:00
Ryan Richard
dd3c1ac3cf Merge branch 'main' into github_identity_provider 2024-06-03 16:40:36 -07:00
Ryan Richard
16c8911dfd Merge pull request #1979 from vmware-tanzu/update_codegen_kube_versions 
update kube versions for codegen
 2024-06-03 16:39:52 -07:00
Ryan Richard
8ea9ba8860 ran go generate to update mocks 2024-06-03 14:48:06 -07:00
Ryan Richard
1d8decfdad ran update.sh to update generated code 2024-06-03 14:30:53 -07:00
Ryan Richard
57431ce6c2 update kube versions for codegen 2024-06-03 14:20:00 -07:00
Ryan Richard
01723e0d12 Merge branch 'main' into github_identity_provider 2024-06-03 13:21:32 -07:00
Joshua Casey
8733a24ebf Merge pull request #1976 from vmware-tanzu/resolve_github_todos 
Resolve remaining GitHub todos
 2024-06-03 13:54:13 -05:00
Joshua Casey
58b4ecc0aa user sees error msg when GitHub login is denied due to allowed orgs 
Also renamed an interface function from GetName to GetResourceName.

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-06-03 10:56:28 -07:00
Joshua Casey
b43b8439c4 Merge pull request #1977 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-06-03 12:06:07 -05:00
Pinny
f2747ef4e7 Bump dependencies 2024-06-03 13:03:02 +00:00
Ryan Richard
e3d8c71f97 sleep longer before generating any GitHib OTP codes 2024-05-31 12:03:36 -07:00
Ryan Richard
0ace5cf477 update github proposal doc to reflect current status 2024-05-31 09:59:50 -07:00
Ryan Richard
6364ac9ac7 change status condition type name to be "ClientCredentialsSecretValid" 
For both GitHubIdentityProvider and OIDCIdentityProvider to make them
consistent with each other.
 2024-05-31 09:59:30 -07:00
Ryan Richard
e89daadfcf dump debugging info when a browser-based test fails 2024-05-31 09:09:24 -07:00
Joshua Casey
eee737186f Clean up how lastTransitionTime and observedGeneration are checked in github_upstream_watcher_test 2024-05-30 21:34:29 -05:00
Ryan Richard
c5b54ec27e resolve a todo in supervisor_discovery_test.go 2024-05-30 14:48:35 -07:00
Joshua Casey
2ad43789cc Merge pull request #1975 from vmware-tanzu/another_github_doc_change 
mention GitHubIdentityProvider in some more website documentation
 2024-05-30 16:32:55 -05:00
Ryan Richard
38a90fa01e mention GitHubIdentityProvider in some more website documentation 2024-05-30 14:21:33 -07:00
Joshua Casey
037fa65c63 Merge pull request #1963 from vmware-tanzu/github-issues-downstream-tokens 
Issue and refresh downstream ID tokens derived from a GitHub IDP
 2024-05-30 16:16:37 -05:00
Joshua Casey
de68594fd6 Merge pull request #1974 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-30 12:03:49 -05:00
Ryan Richard
6327f51f5b repeat same github int tests using OAuth client in supervisor_login_test 2024-05-30 09:58:10 -07:00
Joshua Casey
781ee82b9d Merge branch 'main' into pinny/bump-deps 2024-05-30 11:15:35 -05:00
Ryan Richard
34d02466d9 Merge pull request #1973 from vmware-tanzu/jtc/use-dependabot-for-major-versions-only 
Use dependabot to automate major-only dependency bumps
 2024-05-30 07:44:33 -07:00
Pinny
8dd34d9ea9 Bump dependencies 2024-05-30 13:01:05 +00:00
Joshua Casey
3c0bad9ea2 Use dependabot to automate major-only dependency bumps 2024-05-29 17:37:25 -05:00
Ryan Richard
2bf11ffde1 update error message assertion for github in supervisor_login_test.go 2024-05-29 09:45:43 -07:00
Ryan Richard
bb9cb739c6 more unit tests for github in token_handler_test.go 2024-05-29 08:55:41 -07:00
Joshua Casey
cc8d637715 Fix lint 2024-05-28 20:33:55 -05:00
Joshua Casey
eafc9ad78c Merge pull request #1970 from vmware-tanzu/use_latest_dir_for_api_docs 
use "latest" dir for API docs in doc URLs on the web site
 2024-05-28 18:10:22 -05:00
Ryan Richard
c1719c8f1a use "latest" dir for API docs in doc URLs on the web site 2024-05-28 15:59:40 -07:00
Joshua Casey
d3fb567fdb Add callback_handler tests for GitHub+IdentityTransformations 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-28 15:59:52 -05:00
Joshua Casey
8b1e5aa320 Add callback_handler tests to confirm GitHub with downstream form_post and GitHub with an error case 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-28 15:17:04 -05:00
Joshua Casey
37e654faa0 bunch of renames 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-28 13:41:52 -05:00
Joshua Casey
7c73b5e3df Merge pull request #1969 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-27 11:49:02 -05:00
Pinny
6a9661b374 Bump dependencies 2024-05-27 13:03:01 +00:00
Joshua Casey
6429164852 Merge pull request #1968 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-24 08:55:22 -05:00
Pinny
fa68cbbe4e Bump dependencies 2024-05-24 13:02:57 +00:00
Ryan Richard
f323690049 refactor upstream refresh test helpers to be more specific to IDP type 2024-05-23 13:35:31 -07:00
Joshua Casey
02ffff01d5 fix lint 2024-05-23 12:32:18 -05:00
Joshua Casey
2cdeb85cd6 Merge pull request #1967 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-23 12:29:41 -05:00
Pinny
6ea7c48ae9 Bump dependencies 2024-05-23 13:01:01 +00:00
Joshua Casey
65682aa60d Add sample unit test for GitHub in token_handler_test.go 2024-05-22 23:04:15 -05:00
Ryan Richard
bb1737daec slow down github integration tests to avoid OTP reuse errors from github 2024-05-22 21:21:45 -05:00
Ryan Richard
fef494949f implement upstream refresh for github 2024-05-22 21:21:45 -05:00
Ryan Richard
0a15d488c8 Merge callback_handler_github_test.go into callback_handler_test.go 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-05-22 21:21:45 -05:00
Ryan Richard
e69eb46911 Add github integration tests to supervisor_login_test.go 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-05-22 21:21:45 -05:00
Ryan Richard
8f8db3f542 Make github org comparison case-insensitive, but return original case 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-05-22 21:21:45 -05:00
Ryan Richard
8923704f3c Finish initial github login flow 
Also:
- fix github teams query: fix bug and sort/unique the results
- add IDP display name to github downstream subject
- fix error types returned by LoginFromCallback
- add trace logs to github API results
- update e2e test
- implement placeholder version of refresh for github
 2024-05-22 21:21:45 -05:00
Joshua Casey
ba2d122308 fix lint 2024-05-22 21:21:45 -05:00
Joshua Casey
938bea9910 upstreamgitub.go now uses githubclient to determine username and groups 2024-05-22 21:21:45 -05:00
Joshua Casey
8719c7a2db Standardize error messages and url handling within NewGitHubClient 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-22 21:21:45 -05:00
Ryan Richard
16fa12f455 Handle empty or invalid github API responses 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-05-22 21:21:45 -05:00
Joshua Casey
555b1c80e3 Use passed-in context 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-22 21:21:45 -05:00
Joshua Casey
a12a5f387a Empty allowedOrganizations will return all teams 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-22 21:21:45 -05:00
Joshua Casey
c087e33b86 Add client wrapper for github.com/google/go-github/v62 2024-05-22 21:21:45 -05:00
Ryan Richard
49c468f00a Add GetUser() interface and implement LoginFromCallback() for GitHub 
ALso fixed some of the GitHub test helpers
 2024-05-22 21:21:45 -05:00
Joshua Casey
b7f79f0adc Add github-specific tests in callback_handler_github_test.go 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-22 21:21:45 -05:00
Ryan Richard
2756a106a9 Merge pull request #1966 from vmware-tanzu/jtc/add-docs-for-github-app 
Add docs for GitHub app and GitHub OAuth app
 2024-05-22 15:04:38 -07:00
Ryan Richard
efffa0def2 document creating GitHub OAuth App 2024-05-22 15:03:09 -07:00
Joshua Casey
6beb1c135c Add docs for GitHub App configuration on github.com 2024-05-22 16:25:42 -05:00
Joshua Casey
24ab2e85e5 Merge pull request #1965 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-22 13:27:11 -05:00
Joshua Casey
c6749560b5 Fix plog test assertions that contain the plog library version 2024-05-22 09:35:16 -05:00
Pinny
a0160b8e47 Bump dependencies 2024-05-22 13:01:15 +00:00
Joshua Casey
7f56115abc Merge pull request #1964 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-21 08:56:10 -05:00
Pinny
5a29f19faa Bump dependencies 2024-05-21 13:02:31 +00:00
Joshua Casey
ae45e158a3 Merge pull request #1962 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-20 10:02:00 -05:00
Pinny
81c44528ba Bump dependencies 2024-05-20 13:02:19 +00:00
Ryan Richard
9cfb6baaf2 Merge pull request #1961 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-17 14:12:20 -07:00
Pinny
1de902fe8d Bump dependencies 2024-05-17 13:02:24 +00:00
Joshua Casey
7ac141ba08 Merge pull request #1960 from vmware-tanzu/jtc/merge-main-at-3fe3cf71-into-github 
Merge main at `3fe3cf71` into `github_identity_provider`
 2024-05-16 20:37:42 -05:00
Joshua Casey
fd7838ef2c Add 'github' as an example to the 'pinniped login oidc --upstream-identity-provider-type' help text 2024-05-16 16:22:13 -05:00
Joshua Casey
7ffb1de1c9 Merge branch 'github_identity_provider' into jtc/merge-main-at-3fe3cf71-into-github 2024-05-16 16:07:30 -05:00
Joshua Casey
e4daa5a924 Merge branch 'main' into jtc/merge-main-at-3fe3cf71-into-github 2024-05-16 16:05:34 -05:00
Joshua Casey
147022234e Merge pull request #1959 from vmware-tanzu/github_hack_prepare_supervisor 
update hack/prepare-supervisor-on-kind.sh for GitHub IDPs
 2024-05-16 16:04:41 -05:00
Ryan Richard
2054708c53 update hack/prepare-supervisor-on-kind.sh for GitHub IDPs 2024-05-16 13:49:53 -07:00
Ryan Richard
3fe3cf71ab Merge pull request #1928 from vmware-tanzu/jtc/add-idp-type-discovery 
Add `pinniped_supported_identity_provider_types` to the IDP discovery endpoint
 2024-05-16 13:06:38 -07:00
Joshua Casey
7787885463 Add federation domain cleanup in E2E integration test 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-05-16 14:18:43 -05:00
Ryan Richard
f320980006 Add integration test to prove that 'pinniped login oidc' will infer the flowtype from the Supervisor's IDP discovery 
Co-authored-by: Joshua T Casey <caseyj@vmware.com>
 2024-05-16 12:57:33 -05:00
Ryan Richard
7e0a3c114d Pinniped CLI and the oidc-client package are now enhanced by pinniped_supported_identity_provider_types 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-05-16 12:57:12 -05:00
Joshua Casey
a86d7d27c1 Add pinniped_supported_identity_provider_types to the IDP discovery endpoint 2024-05-16 12:55:45 -05:00
Joshua Casey
b00cf65732 Merge pull request #1958 from vmware-tanzu/jtc/merge-main-at-6b3f175-into-github 
Merge main at `6b3f175` into `github_identity_provider`
 2024-05-16 11:02:50 -05:00
Joshua Casey
69364b2183 Merge branch 'main' into jtc/merge-main-at-6b3f175-into-github 2024-05-16 09:22:28 -05:00
Joshua Casey
6b3f175885 Merge pull request #1957 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-16 08:55:13 -05:00
Pinny
cb7aa561cf Bump dependencies 2024-05-16 13:02:49 +00:00
Joshua Casey
253869ad46 Merge pull request #1954 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-15 14:41:24 -05:00
Pinny
109da32164 Bump dependencies 2024-05-15 17:50:34 +00:00
Joshua Casey
b69c0ac746 Merge pull request #1860 from vmware-tanzu/github_proposal 
Add proposal for Authenticating Users via GitHub
 2024-05-15 12:11:42 -05:00
Joshua Casey
4cc61c038e Merge pull request #1951 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-15 08:54:31 -05:00
Pinny
ae725feee9 Bump dependencies 2024-05-15 13:02:47 +00:00
Joshua Casey
49a57576dd Merge pull request #1953 from vmware-tanzu/site_and_readme_updates 
some small readme and site updates
 2024-05-14 14:45:46 -05:00
Ryan Richard
b94b9ad2d8 some small readme and site updates 2024-05-14 09:57:16 -07:00
Joshua Casey
b28e416d0c Merge pull request #1950 from vmware-tanzu/refactor_ptls 
refactor ptls to clarify the difference between FIPS and non-FIPS modes
 2024-05-13 20:32:43 -05:00
Ryan Richard
e13f4a7f29 refactor ptls to clarify the difference between FIPS and non-FIPS modes 
and backfill some basic tests
 2024-05-13 16:52:15 -07:00
Joshua Casey
f96cbea521 Merge pull request #1948 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-05-13 09:33:18 -05:00
Pinny
d4fb9be250 Bump dependencies 2024-05-13 13:01:21 +00:00
Joshua Casey
41cdb6bbaf Merge pull request #1946 from vmware-tanzu/jtc/merge-main-at-d7849c79-to-github 
Merge main at `d7849c79` to `github_identity_provider`
 2024-05-10 16:35:35 -05:00
Joshua Casey
f43b6f04dc Fix lint issues from golangci-lint 1.58.1 2024-05-10 15:15:59 -05:00
Joshua Casey
791b785dea Merge branch 'main' into jtc/merge-main-at-d7849c79-to-github 2024-05-10 14:22:09 -05:00
Ryan Richard
d7849c793c Merge pull request #1939 from vmware-tanzu/jtc/bump-golangci-lint-to-1-58 
Bump golangci-lint to 1.58.1
 2024-05-10 12:17:18 -07:00
Joshua Casey
5568372bb9 Do not use v for the version prefix in lint-version.txt 2024-05-10 13:27:15 -05:00
Joshua Casey
cba26c92f5 Remove with_modules from hack/module.sh 2024-05-10 13:12:00 -05:00
Joshua Casey
47de5118f2 Remove deprecated .golangci.yaml options 2024-05-10 12:51:03 -05:00
Joshua Casey
81f3acfa38 Update some build tags since go1.22+ is now required 2024-05-10 12:51:03 -05:00
Joshua Casey
aac48fc308 Enable 'spancheck' linter 2024-05-10 12:51:03 -05:00
Joshua Casey
5635d6c862 Enable 'fatcontext' linter and mark 'canonicalheader' as unusable 2024-05-10 12:51:02 -05:00
Joshua Casey
e9d0ac5110 Enable 'intrange' linter 2024-05-10 12:51:02 -05:00
Joshua Casey
7b36c8ab54 Enable 'copyloopvar' linter 2024-05-10 12:51:02 -05:00
Joshua Casey
e04e5e0185 Fix revive linter issues for all production code, and exclude revive linter issues for test code 2024-05-10 12:51:02 -05:00
Joshua Casey
67d3b5fb82 Fix misspell lint issues 2024-05-10 12:51:01 -05:00
Joshua Casey
c31a0e37bf Add module command lint_with_docker to run lint within docker with a pinned golangci-lint version 2024-05-10 12:51:01 -05:00
Joshua Casey
ab01ce41ed Merge pull request #1929 from vmware-tanzu/ben/github/UpstreamAuthorizeRedirectURL 
GitHub upstream authorize redirect url
 2024-05-10 12:19:00 -05:00
Ryan Richard
1e6b8a0be0 Merge pull request #1945 from vmware-tanzu/jtc/update-codegen 
Bump generated 1.30 toolchains to go1.22.3
 2024-05-10 09:22:12 -07:00
Joshua Casey
dba0de88f3 Bump generated 1.30 toolchains to go1.22.3 2024-05-10 09:17:22 -05:00
Ryan Richard
0cdbb710d2 add test for github redirect in auth_handler_test.go 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-05-09 15:35:37 -07:00
Joshua Casey
75f024cb19 Fix lint 2024-05-09 15:35:37 -07:00
Joshua Casey
32e4e0d835 Add TestGenerateOTPCode 2024-05-09 15:35:37 -07:00
Ryan Richard
7c85a511a2 first draft of an e2e integration test for GitHub login (skip while WIP) 2024-05-09 15:35:37 -07:00
Ryan Richard
6be92f92fb bump Supervisor session storage versions 2024-05-09 15:35:37 -07:00
Ryan Richard
7277d00e1a refactor upstreamgithub.ProviderConfig to hold more config 2024-05-09 15:35:37 -07:00
Benjamin A. Petersen
29eb3dd384 Update GitHub UpstreamAuthorizeRedirectURL to generate URLs 2024-05-09 15:35:37 -07:00
Ryan Richard
501ec25f5a Merge pull request #1944 from vmware-tanzu/jtc/merge-main-at-0612654-into-github_identity_provider 
Merge main at `0612654` into `github_identity_provider`
 2024-05-09 15:04:18 -07:00
Joshua Casey
6ae0c0bd22 Merge pull request #1941 from vmware-tanzu/hack_prepare_webhook 
prepare-webhook-on-kind.sh specifies type and name
 2024-05-09 16:33:37 -05:00
Joshua Casey
d9c1b104cd Merge branch 'main' into jtc/merge-main-at-0612654-into-github_identity_provider 2024-05-09 16:06:04 -05:00
Joshua Casey
fbf4284866 Merge branch 'main' into hack_prepare_webhook 2024-05-09 15:41:41 -05:00
Pinny
06126544bd Updated versions in docs for v0.30.0 release 2024-05-09 19:41:57 +00:00
Ryan Richard
e9c93305b9 prepare-webhook-on-kind.sh specifies type and name 2024-05-09 12:29:50 -07:00
Ryan Richard
3197156aa1 Merge pull request #1910 from vmware-tanzu/jtc/github_docs 
Add GitHub Docs to configure the Supervisor with a GitHub IDP
 2024-05-09 11:09:11 -07:00
Ryan Richard
f377292ffe change some wording in github doc 2024-05-09 11:05:48 -07:00
Joshua Casey
96e4442181 Add docs to configure the Supervisor with a GitHub IDP. 
- Does not include docs for configuring GitHub Apps or GitHub OAuth Apps
 2024-05-08 15:57:21 -05:00
Ryan Richard
afb032f8f9 Merge branch 'main' into github_identity_provider 2024-05-07 13:08:50 -07:00
Benjamin A. Petersen
d34f297b37 Update generated code 2024-05-01 12:59:27 -04:00
Benjamin A. Petersen
e0591500ce Update fuzz test 2024-05-01 12:57:00 -04:00
Benjamin A. Petersen
c43193a0c8 Merge branch 'main' into github_identity_provider 2024-05-01 12:15:08 -04:00
Ben Petersen
0896e7164a Merge pull request #1930 from vmware-tanzu/ben/discovery-test/oidc-and-ldap 
IDP Discovery Test improvement: Add OIDC, LDAP
 2024-05-01 10:35:26 -04:00
Benjamin A. Petersen
00567645d0 Add conditional AD to IDP discovery test 2024-04-30 15:43:32 -04:00
Benjamin A. Petersen
92b9d68863 Add OIDC, LDAP to supervisor discovery test 2024-04-30 14:19:54 -04:00
Ben Petersen
0d709ea8db Merge pull request #1908 from vmware-tanzu/ben/github/identity-provider/federation-domain-resolved-github 
Allow GitHub IDP type in FederationDomains
 2024-04-29 16:07:51 -04:00
Benjamin A. Petersen
9a21cb9cc7 update code generation 2024-04-29 15:21:35 -04:00
Benjamin A. Petersen
6424f45c19 Add IDP Discovery integration test for GitHub 2024-04-29 14:57:14 -04:00
Benjamin A. Petersen
8a961bfa21 Add upstreamgithub unit tests 2024-04-25 17:02:08 -04:00
Benjamin A. Petersen
cd86d57763 review cleanup, remove TODOs 2024-04-25 17:02:07 -04:00
Benjamin A. Petersen
2753b468fd Update TestSupervisorFederationDomainStatus test 2024-04-25 17:02:07 -04:00
Joshua Casey
be1915d2d7 fixed fuzzing 2024-04-25 17:02:07 -04:00
Benjamin A. Petersen
42ef46b74e expand TestUpstreamGitHubIdentityProvider 2024-04-25 17:02:07 -04:00
Benjamin A. Petersen
79d0e74056 Fix github_upstream_watcher so GitHub is listed in Supervisor idp discovery doc 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
8de4524428 Add github to kubeconfig.go 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
8f71f965b9 Add github to login_oidc.go 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
0e3641bba2 Fix test idp lister 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
e3aa495e0b Update idp discovery handler test 2024-04-25 17:02:06 -04:00
Benjamin A. Petersen
0edee37498 Update idp discovery types 2024-04-25 17:02:05 -04:00
Benjamin A. Petersen
7968ed6d69 Allow GitHubIdentityProvider IDP type by FederationDomainWatcher 2024-04-25 17:02:05 -04:00
Benjamin A. Petersen
44edba6f75 Add tests for Github in FederationDomain ListerFinder 2024-04-25 17:01:57 -04:00
Benjamin A. Petersen
0c7e95539f Add GitHub to FederationDomain IdP ListerFinder 2024-04-25 16:51:47 -04:00
Ben Petersen
8938990c04 Merge pull request #1925 from vmware-tanzu/jtc/polish-up-github-validations 
Polish up GitHub validations
 2024-04-25 16:40:24 -04:00
Joshua Casey
14b1b7c862 Polish up the github_upstream_watcher: default and verify spec.claims correctly 2024-04-24 13:37:40 -05:00
Joshua Casey
c8b90df6f1 Inline using phttp.Default 2024-04-23 18:06:26 -05:00
Joshua Casey
d0bbfca831 Merge pull request #1924 from vmware-tanzu/jtc/merge-main-5fe94c4e-into-github 
Merge main (at 5fe94c4e) into `github_identity_provider`
 2024-04-23 14:25:02 -05:00
Joshua Casey
fe5d037600 Merge branch 'main' into jtc/merge-main-5fe94c4e-into-github 2024-04-23 12:42:07 -05:00
Ben Petersen
0dc7dfcb50 Merge pull request #1907 from vmware-tanzu/jtc/add-github-idp-validations 
Add GitHub IDP validations
 2024-04-16 17:09:48 -04:00
Joshua Casey
c9b61ef010 Populate internal GitHub IDP Config from CRD 2024-04-16 14:33:01 -05:00
Joshua Casey
349039ff5d Merge pull request #1912 from vmware-tanzu/ben/github/identity-provider/supervisor-hack-script 
Add GitHub to Supervisor hack script
 2024-04-11 16:01:25 -05:00
Ben Petersen
a72155a57f Update prepare-supervisor-on-kind.sh final polish 2024-04-11 16:51:53 -04:00
Ben Petersen
41f8663dcd Update prepare-supervisor-on-kind.sh & remove hard-coded github claims 2024-04-11 16:50:14 -04:00
Ben Petersen
84007cb1ec Update prepare-supervisor-on-kind.sh add github environment variables 2024-04-11 16:44:58 -04:00
Ben Petersen
265c51b8aa Update prepare-supervisor-on-kind.sh to use vars for github secret 2024-04-11 16:23:18 -04:00
Benjamin A. Petersen
4c5d041c21 Initial add Github to hack/prepare-supervisor-on-kind.sh 2024-04-11 13:04:45 -04:00
Ben Petersen
ccef7bd1bc Merge pull request #1903 from vmware-tanzu/ben/github/identity-provider/controller 
WIP: Add GitHub upstream observer controller
 2024-04-02 14:49:07 -04:00
Benjamin A. Petersen
e2db152c6c Stub in TestUpstreamGithubIdentityProvider for unit tests 2024-04-02 13:59:11 -04:00
Benjamin A. Petersen
5c490e999d Stub in unit tests for github_upstream_watcher 2024-04-02 12:38:06 -04:00
Benjamin A. Petersen
a11e1527f0 Add github-upstream-observer Controller 2024-04-02 10:53:26 -04:00
Ben Petersen
6ac11a554a Merge pull request #1900 from vmware-tanzu/jtc/github_idp_crd 
First draft of a GitHubIdentityProvider CRD
 2024-04-01 17:06:54 -04:00
Joshua Casey
42dd8d1d9d First draft of a GitHubIdentityProvider CRD 2024-04-01 15:10:46 -05:00
Ryan Richard
2af6f4cdf6 Update status in proposal docs to reflect current states 2024-03-27 13:15:24 -07:00
Ryan Richard
60bdd3eccd Update proposal for Authenticating Users via GitHub 2024-03-27 13:15:24 -07:00
Ryan Richard
c1b93179ff Add proposal for Authenticating Users via GitHub 2024-03-27 13:15:24 -07:00
494 changed files with 26788 additions and 2520 deletions
Expand all files Collapse all files

25
.github/dependabot.yml vendored
View File

@@ -9,12 +9,25 @@ updates:
schedule:
interval: "daily"
# Our own CI job is responsible for updating this go.mod file now.
# - package-ecosystem: "gomod"
# open-pull-requests-limit: 100
# directory: "/"
# schedule:
# interval: "daily"
# Use dependabot to automate major-only dependency bumps
- package-ecosystem: "gomod"
open-pull-requests-limit: 2 # Not sure why there would ever be more than 1, just would not want to hide anything
directory: "/"
schedule:
interval: "daily"
# group all major dependency bumps together so there's only one pull request
groups:
go-modules:
patterns:
- "*"
update-types:
- "major"
ignore:
# For all packages, ignore all minor and patch updates
- dependency-name: "*"
update-types:
- "version-update:semver-minor"
- "version-update:semver-patch"
# Our own CI job is responsible for updating this Docker file now.
# - package-ecosystem: "docker"

23
.golangci.yaml
View File

@@ -1,8 +1,6 @@
# https://github.com/golangci/golangci-lint#config-file
# https://golangci-lint.run/usage/configuration/
run:
deadline: 1m
skip-dirs:
- generated
timeout: 1m
linters:
disable-all: true
@@ -45,14 +43,25 @@ linters:
- sqlclosecheck
- unconvert
- whitespace
- copyloopvar
- intrange
- fatcontext
# - canonicalheader Can't do this one since it alerts on valid headers such as X-XSS-Protection
- spancheck
issues:
exclude-dirs:
- generated
exclude-rules:
# exclude tests from some rules for things that are useful in a testing context.
- path: _test\.go
linters:
- funlen
- gochecknoglobals
- revive
- path: internal/testutil/
linters:
- revive
linters-settings:
funlen:
@@ -76,3 +85,9 @@ linters-settings:
# Allow unused params that start with underscore. It can be nice to keep unused param names when implementing
# an interface sometimes, to help readers understand why it is unused in that particular implementation.
- allowRegex: "^_"
spancheck:
# https://golangci-lint.run/usage/linters/#spancheck
checks:
- end
- record-error
- set-status

4
Dockerfile
View File

@@ -1,9 +1,9 @@
# syntax=docker/dockerfile:1
# Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
ARG BUILD_IMAGE=golang:1.22.3@sha256:b1e05e2c918f52c59d39ce7d5844f73b2f4511f7734add8bb98c9ecdd4443365
ARG BUILD_IMAGE=golang:1.22.4@sha256:969349b8121a56d51c74f4c273ab974c15b3a8ae246a5cffc1df7d28b66cf978
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:e9ac71e2b8e279a8372741b7a0293afda17650d926900233ec3a7b2b7c22a246
# Prepare to cross-compile by always running the build stage in the build platform, not the target platform.

18
MAINTAINERS.md
View File

@@ -2,17 +2,17 @@
| Maintainer | GitHub ID | Affiliation |
|-----------------|-----------------------------------------------------------|------------------------------------------|
| Ben Petersen | [benjaminapetersen](https://github.com/benjaminapetersen) | [VMware](https://www.github.com/vmware/) |
| Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) |
| Joshua T. Casey | [joshuatcasey](https://github.com/joshuatcasey) | [VMware](https://www.github.com/vmware/) |
## Emeritus Maintainers
| Maintainer | GitHub ID |
|-------------------|---------------------------------------------------------|
| Andrew Keesler | [ankeesler](https://github.com/ankeesler) |
| Anjali Telang | [anjaltelang](https://github.com/anjaltelang) |
| Margo Crawford | [margocrawf](https://github.com/margocrawf) |
| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) |
| Mo Khan | [enj](https://github.com/enj) |
| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) |
| Maintainer | GitHub ID |
|-------------------|-----------------------------------------------------------|
| Andrew Keesler | [ankeesler](https://github.com/ankeesler) |
| Anjali Telang | [anjaltelang](https://github.com/anjaltelang) |
| Ben Petersen | [benjaminapetersen](https://github.com/benjaminapetersen) |
| Margo Crawford | [margocrawf](https://github.com/margocrawf) |
| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) |
| Mo Khan | [enj](https://github.com/enj) |
| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) |

2
README.md
View File

@@ -47,4 +47,4 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).
Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE).
Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.

17
ROADMAP.md
View File

@@ -5,8 +5,6 @@
This document provides a high-level overview of the next big features the maintainers are planning to work on. This
should serve as a reference point for Pinniped users and contributors to understand where the project is heading, and
help determine if a contribution could be conflicting with a longer term plan.
The [Pinniped project backlog](https://github.com/orgs/vmware-tanzu/projects/43/) is prioritized based on this roadmap,
and it provides a more granular view of what the maintainers are working on a day-to-day basis.
### How to help
@@ -23,19 +21,6 @@ a [proposal](https://github.com/vmware-tanzu/pinniped/tree/main/proposals) in ou
For smaller enhancements, you can open an issue to track that initiative or feature request.
We work with and rely on community feedback to focus our efforts to improve Pinniped and maintain a healthy roadmap.
### Current Roadmap
The following table includes the current roadmap for Pinniped. Please take the timelines and dates as proposals and
goals. Priorities and requirements change based on community feedback, roadblocks encountered, community contributions,
Priorities and requirements change based on community feedback, roadblocks encountered, community contributions,
etc. If you depend on a specific item, we encourage you to reach out for updated status information, or help us deliver
that feature by [contributing](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md) to Pinniped.
Last Updated: Sept 2022
|Theme|Description|Timeline|
|--|--|--|
|Improving Usability|Dynamic Oauth Client Support for integrating with UI/Dashboards |Sept/Oct 2022|
|Improving Usability|Support for custom claim mappings in OIDCIdentityProvider |Q4 2022|
|Improving Usability|Support for Multiple Identity Providers |Q4 2022|
|Improving Security Posture|Support Audit logging of security events related to Authentication |Q4 2022|
|Improving Security Posture|Session Management |2022/2023|
|Improving Security Posture|Secrets Rotation and Management |2022/2023|

9
SCOPE.md
View File

@@ -21,12 +21,3 @@ The following items are out of scope for the Pinniped project.
- Standalone identity provider for general use.
- Machine-to-machine (service) identity.
- Running outside of Kubernetes.
## Roadmap
See our [open milestones][milestones] and the [`priority/backlog` label][backlog] for an idea about what's next on our roadmap.
For more details on proposing features and bugs, check out our [contributing](./CONTRIBUTING.md) doc.
[milestones]: https://github.com/vmware-tanzu/pinniped/milestones
[backlog]: https://github.com/vmware-tanzu/pinniped/labels/priority%2Fbacklog

4
apis/supervisor/idp/v1alpha1/register.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

11
apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
@@ -54,7 +55,8 @@ type OIDCDiscoveryResponseIDPEndpoint struct {
// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
type IDPDiscoveryResponse struct {
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedSupportedIDPTypes []PinnipedSupportedIDPType `json:"pinniped_supported_identity_provider_types"`
}
// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
@@ -64,3 +66,8 @@ type PinnipedIDP struct {
Type IDPType `json:"type"`
Flows []IDPFlow `json:"flows,omitempty"`
}
// PinnipedSupportedIDPType describes a single identity provider type.
type PinnipedSupportedIDPType struct {
Type IDPType `json:"type"`
}

3
cmd/pinniped-concierge-kube-cert-agent/main_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package main
@@ -90,7 +90,6 @@ func TestEntrypoint(t *testing.T) {
}`,
},
} {
tt := tt
t.Run(tt.name, func(t *testing.T) {
var logBuf bytes.Buffer
testLog := log.New(&logBuf, "", 0)

3
cmd/pinniped-server/main_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package main
@@ -38,7 +38,6 @@ func TestEntrypoint(t *testing.T) {
wantArgs: []string{"/path/to/valid-test-binary", "foo", "bar"},
},
} {
tt := tt
t.Run(tt.name, func(t *testing.T) {
var logBuf bytes.Buffer
testLog := log.New(&logBuf, "", 0)

17
cmd/pinniped/cmd/kubeconfig.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -143,7 +143,18 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
f.BoolVar(&flags.oidc.debugSessionCache, "oidc-debug-session-cache", false, "Print debug logs related to the OpenID Connect session cache")
f.StringVar(&flags.oidc.requestAudience, "oidc-request-audience", "", "Request a token with an alternate audience using RFC8693 token exchange")
f.StringVar(&flags.oidc.upstreamIDPName, "upstream-identity-provider-name", "", "The name of the upstream identity provider used during login with a Supervisor")
f.StringVar(&flags.oidc.upstreamIDPType, "upstream-identity-provider-type", "", fmt.Sprintf("The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s')", idpdiscoveryv1alpha1.IDPTypeOIDC, idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory))
f.StringVar(
&flags.oidc.upstreamIDPType,
"upstream-identity-provider-type",
"",
fmt.Sprintf(
"The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s', '%s')",
idpdiscoveryv1alpha1.IDPTypeOIDC,
idpdiscoveryv1alpha1.IDPTypeLDAP,
idpdiscoveryv1alpha1.IDPTypeActiveDirectory,
idpdiscoveryv1alpha1.IDPTypeGitHub,
),
)
f.StringVar(&flags.oidc.upstreamIDPFlow, "upstream-identity-provider-flow", "", fmt.Sprintf("The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. '%s', '%s')", idpdiscoveryv1alpha1.IDPFlowCLIPassword, idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode))
f.StringVar(&flags.kubeconfigPath, "kubeconfig", os.Getenv("KUBECONFIG"), "Path to kubeconfig file")
f.StringVar(&flags.kubeconfigContextOverride, "kubeconfig-context", "", "Kubeconfig context name (default: current active context)")
@@ -163,7 +174,7 @@ func kubeconfigCommand(deps kubeconfigDeps) *cobra.Command {
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
cmd.RunE = func(cmd *cobra.Command, args []string) error {
cmd.RunE = func(cmd *cobra.Command, _args []string) error {
if flags.outputPath != "" {
out, err := os.Create(flags.outputPath)
if err != nil {

12
cmd/pinniped/cmd/kubeconfig_test.go
View File

@@ -156,7 +156,7 @@ func TestGetKubeconfig(t *testing.T) {
--timeout duration Timeout for autodiscovery and validation (default 10m0s)
--upstream-identity-provider-flow string The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'cli_password', 'browser_authcode')
--upstream-identity-provider-name string The name of the upstream identity provider used during login with a Supervisor
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory')
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory', 'github')
`)
},
},
@@ -908,7 +908,8 @@ func TestGetKubeconfig(t *testing.T) {
idpsDiscoveryResponse: here.Docf(`{
"pinniped_identity_providers": [
{"name": "some-ldap-idp", "type": "ldap"},
{"name": "some-oidc-idp", "type": "oidc"}
{"name": "some-oidc-idp", "type": "oidc", "flows": ["flow1", "flow2"]},
{"name": "some-github-idp", "type": "github"}
]
}`),
wantLogs: func(issuerCABundle string, issuerURL string) []string {
@@ -927,7 +928,7 @@ func TestGetKubeconfig(t *testing.T) {
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantExactErrorString(`Error: multiple Supervisor upstream identity providers were found, ` +
`so the --upstream-identity-provider-name/--upstream-identity-provider-type flags must be specified. ` +
`Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc"}]` + "\n")
`Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc","flows":["flow1","flow2"]},{"name":"some-github-idp","type":"github"}]` + "\n")
},
},
{
@@ -1029,8 +1030,8 @@ func TestGetKubeconfig(t *testing.T) {
}
},
wantError: true,
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantX509UntrustedCertErrorString(fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": %%s\n", issuerURL), "Acme Co")
wantStderr: func(_issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
return testutil.WantSprintfErrorString(`Error: while fetching OIDC discovery data from issuer: Get "%s/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority%s`, issuerURL, "\n")
},
},
{
@@ -3197,7 +3198,6 @@ func TestGetKubeconfig(t *testing.T) {
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
var issuerEndpointPtr *string
testServer, testServerCA := tlsserver.TestServerIPv4(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

112
cmd/pinniped/cmd/login_oidc.go
View File

@@ -12,7 +12,6 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
"time"
"github.com/spf13/cobra"
@@ -59,9 +58,10 @@ func init() {
}
type oidcLoginCommandDeps struct {
lookupEnv func(string) (string, bool)
login func(string, string, ...oidcclient.Option) (*oidctypes.Token, error)
exchangeToken func(context.Context, *conciergeclient.Client, string) (*clientauthv1beta1.ExecCredential, error)
lookupEnv func(string) (string, bool)
login func(string, string, ...oidcclient.Option) (*oidctypes.Token, error)
exchangeToken func(context.Context, *conciergeclient.Client, string) (*clientauthv1beta1.ExecCredential, error)
optionsFactory OIDCClientOptions
}
func oidcLoginCommandRealDeps() oidcLoginCommandDeps {
@@ -71,6 +71,7 @@ func oidcLoginCommandRealDeps() oidcLoginCommandDeps {
exchangeToken: func(ctx context.Context, client *conciergeclient.Client, token string) (*clientauthv1beta1.ExecCredential, error) {
return client.ExchangeToken(ctx, token)
},
optionsFactory: &clientOptions{},
}
}
@@ -140,14 +141,23 @@ func oidcLoginCommand(deps oidcLoginCommandDeps) *cobra.Command {
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
cmd.Flags().StringVar(&flags.credentialCachePath, "credential-cache", filepath.Join(mustGetConfigDir(), "credentials.yaml"), "Path to cluster-specific credentials cache (\"\" disables the cache)")
cmd.Flags().StringVar(&flags.upstreamIdentityProviderName, "upstream-identity-provider-name", "", "The name of the upstream identity provider used during login with a Supervisor")
cmd.Flags().StringVar(&flags.upstreamIdentityProviderType, "upstream-identity-provider-type", idpdiscoveryv1alpha1.IDPTypeOIDC.String(), fmt.Sprintf("The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s')", idpdiscoveryv1alpha1.IDPTypeOIDC, idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory))
cmd.Flags().StringVar(&flags.upstreamIdentityProviderType,
"upstream-identity-provider-type",
idpdiscoveryv1alpha1.IDPTypeOIDC.String(),
fmt.Sprintf(
"The type of the upstream identity provider used during login with a Supervisor (e.g. '%s', '%s', '%s', '%s')",
idpdiscoveryv1alpha1.IDPTypeOIDC,
idpdiscoveryv1alpha1.IDPTypeLDAP,
idpdiscoveryv1alpha1.IDPTypeActiveDirectory,
idpdiscoveryv1alpha1.IDPTypeGitHub,
))
cmd.Flags().StringVar(&flags.upstreamIdentityProviderFlow, "upstream-identity-provider-flow", "", fmt.Sprintf("The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. '%s', '%s')", idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode, idpdiscoveryv1alpha1.IDPFlowCLIPassword))
// --skip-listen is mainly needed for testing. We'll leave it hidden until we have a non-testing use case.
mustMarkHidden(cmd, "skip-listen")
mustMarkHidden(cmd, "debug-session-cache")
mustMarkRequired(cmd, "issuer")
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runOIDCLogin(cmd, deps, flags) }
cmd.RunE = func(cmd *cobra.Command, _args []string) error { return runOIDCLogin(cmd, deps, flags) }
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
mustMarkHidden(cmd, "concierge-namespace")
@@ -175,39 +185,37 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
// Initialize the login handler.
opts := []oidcclient.Option{
oidcclient.WithContext(cmd.Context()),
oidcclient.WithLogger(plog.Logr()), //nolint:staticcheck // old code with lots of log statements
oidcclient.WithScopes(flags.scopes),
oidcclient.WithSessionCache(sessionCache),
deps.optionsFactory.WithContext(cmd.Context()),
deps.optionsFactory.WithLogger(plog.Logr()), //nolint:staticcheck // old code with lots of log statements
deps.optionsFactory.WithScopes(flags.scopes),
deps.optionsFactory.WithSessionCache(sessionCache),
}
skipPrintLoginURL, _ := deps.lookupEnv(skipPrintLoginURLEnvVarName)
if skipPrintLoginURL == envVarTruthyValue {
opts = append(opts, oidcclient.WithSkipPrintLoginURL())
opts = append(opts, deps.optionsFactory.WithSkipPrintLoginURL())
}
if flags.listenPort != 0 {
opts = append(opts, oidcclient.WithListenPort(flags.listenPort))
opts = append(opts, deps.optionsFactory.WithListenPort(flags.listenPort))
}
if flags.requestAudience != "" {
opts = append(opts, oidcclient.WithRequestAudience(flags.requestAudience))
opts = append(opts, deps.optionsFactory.WithRequestAudience(flags.requestAudience))
}
if flags.upstreamIdentityProviderName != "" {
opts = append(opts, oidcclient.WithUpstreamIdentityProvider(
opts = append(opts, deps.optionsFactory.WithUpstreamIdentityProvider(
flags.upstreamIdentityProviderName, flags.upstreamIdentityProviderType))
}
flowOpts, err := flowOptions(
idpdiscoveryv1alpha1.IDPType(flags.upstreamIdentityProviderType),
idpdiscoveryv1alpha1.IDPFlow(flags.upstreamIdentityProviderFlow),
deps,
)
if err != nil {
return err
requestedFlow, flowSource := idpdiscoveryv1alpha1.IDPFlow(flags.upstreamIdentityProviderFlow), "--upstream-identity-provider-flow"
if flowOverride, hasFlowOverride := deps.lookupEnv(upstreamIdentityProviderFlowEnvVarName); hasFlowOverride {
requestedFlow, flowSource = idpdiscoveryv1alpha1.IDPFlow(flowOverride), upstreamIdentityProviderFlowEnvVarName
}
if requestedFlow != "" {
opts = append(opts, deps.optionsFactory.WithLoginFlow(requestedFlow, flowSource))
}
opts = append(opts, flowOpts...)
var concierge *conciergeclient.Client
if flags.conciergeEnabled {
@@ -225,12 +233,12 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
// --skip-browser skips opening the browser.
if flags.skipBrowser {
opts = append(opts, oidcclient.WithSkipBrowserOpen())
opts = append(opts, deps.optionsFactory.WithSkipBrowserOpen())
}
// --skip-listen skips starting the localhost callback listener.
if flags.skipListen {
opts = append(opts, oidcclient.WithSkipListen())
opts = append(opts, deps.optionsFactory.WithSkipListen())
}
if len(flags.caBundlePaths) > 0 || len(flags.caBundleData) > 0 {
@@ -238,7 +246,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
if err != nil {
return err
}
opts = append(opts, oidcclient.WithClient(client))
opts = append(opts, deps.optionsFactory.WithClient(client))
}
// Look up cached credentials based on a hash of all the CLI arguments and the cluster info.
cacheKey := struct {
@@ -288,60 +296,6 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin
return json.NewEncoder(cmd.OutOrStdout()).Encode(cred)
}
func flowOptions(
requestedIDPType idpdiscoveryv1alpha1.IDPType,
requestedFlow idpdiscoveryv1alpha1.IDPFlow,
deps oidcLoginCommandDeps,
) ([]oidcclient.Option, error) {
useCLIFlow := []oidcclient.Option{oidcclient.WithCLISendingCredentials()}
// If the env var is set to override the --upstream-identity-provider-type flag, then override it.
flowOverride, hasFlowOverride := deps.lookupEnv(upstreamIdentityProviderFlowEnvVarName)
flowSource := "--upstream-identity-provider-flow"
if hasFlowOverride {
requestedFlow = idpdiscoveryv1alpha1.IDPFlow(flowOverride)
flowSource = upstreamIdentityProviderFlowEnvVarName
}
switch requestedIDPType {
case idpdiscoveryv1alpha1.IDPTypeOIDC:
switch requestedFlow {
case idpdiscoveryv1alpha1.IDPFlowCLIPassword:
return useCLIFlow, nil
case idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode, "":
return nil, nil // browser authcode flow is the default Option, so don't need to return an Option here
default:
return nil, fmt.Errorf(
"%s value not recognized for identity provider type %q: %s (supported values: %s)",
flowSource, requestedIDPType, requestedFlow,
strings.Join([]string{idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode.String(), idpdiscoveryv1alpha1.IDPFlowCLIPassword.String()}, ", "))
}
case idpdiscoveryv1alpha1.IDPTypeLDAP, idpdiscoveryv1alpha1.IDPTypeActiveDirectory:
switch requestedFlow {
case idpdiscoveryv1alpha1.IDPFlowCLIPassword, "":
return useCLIFlow, nil
case idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode:
return nil, nil // browser authcode flow is the default Option, so don't need to return an Option here
default:
return nil, fmt.Errorf(
"%s value not recognized for identity provider type %q: %s (supported values: %s)",
flowSource, requestedIDPType, requestedFlow,
strings.Join([]string{idpdiscoveryv1alpha1.IDPFlowCLIPassword.String(), idpdiscoveryv1alpha1.IDPFlowBrowserAuthcode.String()}, ", "))
}
default:
// Surprisingly cobra does not support this kind of flag validation. See https://github.com/spf13/pflag/issues/236
return nil, fmt.Errorf(
"--upstream-identity-provider-type value not recognized: %s (supported values: %s)",
requestedIDPType,
strings.Join([]string{
idpdiscoveryv1alpha1.IDPTypeOIDC.String(),
idpdiscoveryv1alpha1.IDPTypeLDAP.String(),
idpdiscoveryv1alpha1.IDPTypeActiveDirectory.String(),
}, ", "),
)
}
}
func makeClient(caBundlePaths []string, caBundleData []string) (*http.Client, error) {
pool := x509.NewCertPool()
for _, p := range caBundlePaths {

347
cmd/pinniped/cmd/login_oidc_test.go
View File

@@ -14,12 +14,16 @@ import (
"time"
"github.com/stretchr/testify/require"
"go.uber.org/mock/gomock"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
clocktesting "k8s.io/utils/clock/testing"
idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
"go.pinniped.dev/internal/certauthority"
"go.pinniped.dev/internal/here"
"go.pinniped.dev/internal/mocks/mockoidcclientoptions"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/testutil"
"go.pinniped.dev/pkg/conciergeclient"
@@ -42,6 +46,13 @@ func TestLoginOIDCCommand(t *testing.T) {
require.NoError(t, err)
nowStr := now.Local().Format(time.RFC1123)
defaultWantedOptions := func(f *mockoidcclientoptions.MockOIDCClientOptions) {
f.EXPECT().WithContext(gomock.Any())
f.EXPECT().WithLogger(gomock.Any())
f.EXPECT().WithScopes([]string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups})
f.EXPECT().WithSessionCache(gomock.Any())
}
tests := []struct {
name string
args []string
@@ -51,6 +62,7 @@ func TestLoginOIDCCommand(t *testing.T) {
wantError bool
wantStdout string
wantStderr string
wantOptions func(f *mockoidcclientoptions.MockOIDCClientOptions)
wantOptionsCount int
wantLogs []string
}{
@@ -91,7 +103,7 @@ func TestLoginOIDCCommand(t *testing.T) {
--skip-browser Skip opening the browser (just print the URL)
--upstream-identity-provider-flow string The type of client flow to use with the upstream identity provider during login with a Supervisor (e.g. 'browser_authcode', 'cli_password')
--upstream-identity-provider-name string The name of the upstream identity provider used during login with a Supervisor
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory') (default "oidc")
--upstream-identity-provider-type string The type of the upstream identity provider used during login with a Supervisor (e.g. 'oidc', 'ldap', 'activedirectory', 'github') (default "oidc")
`),
},
{
@@ -109,7 +121,8 @@ func TestLoginOIDCCommand(t *testing.T) {
"--issuer", "test-issuer",
"--enable-concierge",
},
wantError: true,
wantOptions: defaultWantedOptions,
wantError: true,
wantStderr: here.Doc(`
Error: invalid Concierge parameters: endpoint must not be empty
`),
@@ -121,7 +134,8 @@ func TestLoginOIDCCommand(t *testing.T) {
"--issuer", "test-issuer",
"--ca-bundle", "./does/not/exist",
},
wantError: true,
wantOptions: defaultWantedOptions,
wantError: true,
wantStderr: here.Doc(`
Error: could not read --ca-bundle: open ./does/not/exist: no such file or directory
`),
@@ -133,7 +147,8 @@ func TestLoginOIDCCommand(t *testing.T) {
"--issuer", "test-issuer",
"--ca-bundle-data", "invalid-base64",
},
wantError: true,
wantOptions: defaultWantedOptions,
wantError: true,
wantStderr: here.Doc(`
Error: could not read --ca-bundle-data: illegal base64 data at input byte 7
`),
@@ -148,34 +163,12 @@ func TestLoginOIDCCommand(t *testing.T) {
"--concierge-authenticator-name", "test-authenticator",
"--concierge-endpoint", "https://127.0.0.1:1234/",
},
wantError: true,
wantOptions: defaultWantedOptions,
wantError: true,
wantStderr: here.Doc(`
Error: invalid Concierge parameters: invalid API group suffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
`),
},
{
name: "invalid upstream type is an error",
args: []string{
"--issuer", "test-issuer",
"--upstream-identity-provider-type", "invalid",
},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-type value not recognized: invalid (supported values: oidc, ldap, activedirectory)
`),
},
{
name: "invalid upstream type when flow override env var is used is still an error",
args: []string{
"--issuer", "test-issuer",
"--upstream-identity-provider-type", "invalid",
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-type value not recognized: invalid (supported values: oidc, ldap, activedirectory)
`),
},
{
name: "oidc upstream type with default flow is allowed",
args: []string{
@@ -184,6 +177,7 @@ func TestLoginOIDCCommand(t *testing.T) {
"--upstream-identity-provider-type", "oidc",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptions: defaultWantedOptions,
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
@@ -195,269 +189,45 @@ func TestLoginOIDCCommand(t *testing.T) {
"--upstream-identity-provider-type", "oidc",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_SKIP_PRINT_LOGIN_URL": "true"},
env: map[string]string{"PINNIPED_SKIP_PRINT_LOGIN_URL": "true"},
wantOptions: func(f *mockoidcclientoptions.MockOIDCClientOptions) {
defaultWantedOptions(f)
f.EXPECT().WithSkipPrintLoginURL()
},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with CLI flow is allowed",
name: "--upstream-identity-provider-flow adds an option",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with browser flow is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with CLI flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "cli_password"},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with with browser flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "oidc upstream type with unsupported flow is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "foobar",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-flow value not recognized for identity provider type "oidc": foobar (supported values: browser_authcode, cli_password)
`),
},
{
name: "oidc upstream type with unsupported flow in flow override env var is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "oidc",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "foo"},
wantError: true,
wantStderr: here.Doc(`
Error: PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW value not recognized for identity provider type "oidc": foo (supported values: browser_authcode, cli_password)
`),
},
{
name: "ldap upstream type with default flow is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
wantOptions: func(f *mockoidcclientoptions.MockOIDCClientOptions) {
defaultWantedOptions(f)
f.EXPECT().WithLoginFlow(idpdiscoveryv1alpha1.IDPFlowCLIPassword, "--upstream-identity-provider-flow")
},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "activedirectory upstream type with default flow is allowed",
name: "PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW adds an option that overrides --upstream-identity-provider-flow",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "ignored-value-from-param",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "actual-value-from-env"},
wantOptions: func(f *mockoidcclientoptions.MockOIDCClientOptions) {
defaultWantedOptions(f)
f.EXPECT().WithLoginFlow(idpdiscoveryv1alpha1.IDPFlow("actual-value-from-env"), "PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW")
},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with CLI flow is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with browser_authcode flow is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with CLI flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "cli_password"},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with browser_authcode flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "ldap upstream type with unsupported flow is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "foo",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-flow value not recognized for identity provider type "ldap": foo (supported values: cli_password, browser_authcode)
`),
},
{
name: "ldap upstream type with unsupported flow in flow override env var is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "foo"},
wantError: true,
wantStderr: here.Doc(`
Error: PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW value not recognized for identity provider type "ldap": foo (supported values: cli_password, browser_authcode)
`),
},
{
name: "active directory upstream type with CLI flow is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with browser_authcode is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with CLI flow in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "cli_password"},
wantOptionsCount: 5,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with browser_authcode in flow override env var is allowed",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "cli_password",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "browser_authcode"},
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
},
{
name: "active directory upstream type with unsupported flow is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "foo",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
wantError: true,
wantStderr: here.Doc(`
Error: --upstream-identity-provider-flow value not recognized for identity provider type "activedirectory": foo (supported values: cli_password, browser_authcode)
`),
},
{
name: "active directory upstream type with unsupported flow in flow override env var is an error",
args: []string{
"--issuer", "test-issuer",
"--client-id", "test-client-id",
"--upstream-identity-provider-type", "activedirectory",
"--upstream-identity-provider-flow", "browser_authcode",
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW": "foo"},
wantError: true,
wantStderr: here.Doc(`
Error: PINNIPED_UPSTREAM_IDENTITY_PROVIDER_FLOW value not recognized for identity provider type "activedirectory": foo (supported values: cli_password, browser_authcode)
`),
},
{
name: "login error",
args: []string{
@@ -466,6 +236,7 @@ func TestLoginOIDCCommand(t *testing.T) {
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
loginErr: fmt.Errorf("some login error"),
wantOptions: defaultWantedOptions,
wantOptionsCount: 4,
wantError: true,
wantStderr: here.Doc(`
@@ -484,6 +255,7 @@ func TestLoginOIDCCommand(t *testing.T) {
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
conciergeErr: fmt.Errorf("some concierge error"),
wantOptions: defaultWantedOptions,
wantOptionsCount: 4,
wantError: true,
wantStderr: here.Doc(`
@@ -498,11 +270,12 @@ func TestLoginOIDCCommand(t *testing.T) {
"--credential-cache", "", // must specify --credential-cache or else the cache file on disk causes test pollution
},
env: map[string]string{"PINNIPED_DEBUG": "true"},
wantOptions: defaultWantedOptions,
wantOptionsCount: 4,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"test-id-token"}}` + "\n",
wantLogs: []string{
nowStr + ` pinniped-login cmd/login_oidc.go:260 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:280 No concierge configured, skipping token credential exchange`,
nowStr + ` pinniped-login cmd/login_oidc.go:268 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:288 No concierge configured, skipping token credential exchange`,
},
},
{
@@ -526,24 +299,45 @@ func TestLoginOIDCCommand(t *testing.T) {
"--credential-cache", t.TempDir() + "/credentials.yaml", // must specify --credential-cache or else the cache file on disk causes test pollution
"--upstream-identity-provider-name", "some-upstream-name",
"--upstream-identity-provider-type", "ldap",
"--upstream-identity-provider-flow", "some-flow-type",
},
env: map[string]string{"PINNIPED_DEBUG": "true", "PINNIPED_SKIP_PRINT_LOGIN_URL": "true"},
wantOptions: func(f *mockoidcclientoptions.MockOIDCClientOptions) {
f.EXPECT().WithContext(gomock.Any())
f.EXPECT().WithLogger(gomock.Any())
f.EXPECT().WithScopes([]string{oidcapi.ScopeOfflineAccess, oidcapi.ScopeOpenID, oidcapi.ScopeRequestAudience, oidcapi.ScopeUsername, oidcapi.ScopeGroups})
f.EXPECT().WithSessionCache(gomock.Any())
f.EXPECT().WithListenPort(uint16(1234))
f.EXPECT().WithSkipBrowserOpen()
f.EXPECT().WithSkipListen()
f.EXPECT().WithSkipPrintLoginURL()
f.EXPECT().WithClient(gomock.Any())
f.EXPECT().WithRequestAudience("cluster-1234")
f.EXPECT().WithLoginFlow(idpdiscoveryv1alpha1.IDPFlow("some-flow-type"), "--upstream-identity-provider-flow")
f.EXPECT().WithUpstreamIdentityProvider("some-upstream-name", "ldap")
},
env: map[string]string{"PINNIPED_DEBUG": "true", "PINNIPED_SKIP_PRINT_LOGIN_URL": "true"},
wantOptionsCount: 12,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{"interactive":false},"status":{"token":"exchanged-token"}}` + "\n",
wantLogs: []string{
nowStr + ` pinniped-login cmd/login_oidc.go:260 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:270 Exchanging token for cluster credential {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:278 Successfully exchanged token for cluster credential.`,
nowStr + ` pinniped-login cmd/login_oidc.go:285 caching cluster credential for future use.`,
nowStr + ` pinniped-login cmd/login_oidc.go:268 Performing OIDC login {"issuer": "test-issuer", "client id": "test-client-id"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:278 Exchanging token for cluster credential {"endpoint": "https://127.0.0.1:1234/", "authenticator type": "webhook", "authenticator name": "test-authenticator"}`,
nowStr + ` pinniped-login cmd/login_oidc.go:286 Successfully exchanged token for cluster credential.`,
nowStr + ` pinniped-login cmd/login_oidc.go:293 caching cluster credential for future use.`,
},
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
var buf bytes.Buffer
ctx := plog.AddZapOverridesToContext(context.Background(), t, &buf, nil, clocktesting.NewFakeClock(now))
ctrl := gomock.NewController(t)
t.Cleanup(ctrl.Finish)
optionsFactory := mockoidcclientoptions.NewMockOIDCClientOptions(ctrl)
if tt.wantOptions != nil {
tt.wantOptions(optionsFactory)
}
var gotOptions []oidcclient.Option
cmd := oidcLoginCommand(oidcLoginCommandDeps{
lookupEnv: func(s string) (string, bool) {
@@ -579,6 +373,7 @@ func TestLoginOIDCCommand(t *testing.T) {
},
}, nil
},
optionsFactory: optionsFactory,
})
require.NotNil(t, cmd)

2
cmd/pinniped/cmd/login_static.go
View File

@@ -86,7 +86,7 @@ func staticLoginCommand(deps staticLoginDeps) *cobra.Command {
cmd.Flags().StringVar(&flags.conciergeAPIGroupSuffix, "concierge-api-group-suffix", groupsuffix.PinnipedDefaultSuffix, "Concierge API group suffix")
cmd.Flags().StringVar(&flags.credentialCachePath, "credential-cache", filepath.Join(mustGetConfigDir(), "credentials.yaml"), "Path to cluster-specific credentials cache (\"\" disables the cache)")
cmd.RunE = func(cmd *cobra.Command, args []string) error { return runStaticLogin(cmd, deps, flags) }
cmd.RunE = func(cmd *cobra.Command, _args []string) error { return runStaticLogin(cmd, deps, flags) }
mustMarkDeprecated(cmd, "concierge-namespace", "not needed anymore")
mustMarkHidden(cmd, "concierge-namespace")

1
cmd/pinniped/cmd/login_static_test.go
View File

@@ -175,7 +175,6 @@ func TestLoginStaticCommand(t *testing.T) {
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
var buf bytes.Buffer
ctx := plog.AddZapOverridesToContext(context.Background(), t, &buf, nil, clocktesting.NewFakeClock(now))

85
cmd/pinniped/cmd/oidc_client_options.go Normal file
View File

@@ -0,0 +1,85 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"context"
"net/http"
"github.com/go-logr/logr"
"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
"go.pinniped.dev/pkg/oidcclient"
)
// OIDCClientOptions is an interface that wraps the creation of Options for the purpose of making them
// more friendly to unit tests. Because the Option type refers to a private struct type, it is hard
// to create mocks for them in tests of other packages. This provides a seam that can be mocked.
type OIDCClientOptions interface {
WithContext(ctx context.Context) oidcclient.Option
WithLogger(logger logr.Logger) oidcclient.Option
WithListenPort(port uint16) oidcclient.Option
WithSkipBrowserOpen() oidcclient.Option
WithSkipListen() oidcclient.Option
WithSkipPrintLoginURL() oidcclient.Option
WithSessionCache(cache oidcclient.SessionCache) oidcclient.Option
WithClient(httpClient *http.Client) oidcclient.Option
WithScopes(scopes []string) oidcclient.Option
WithRequestAudience(audience string) oidcclient.Option
WithLoginFlow(loginFlow v1alpha1.IDPFlow, flowSource string) oidcclient.Option
WithUpstreamIdentityProvider(upstreamName, upstreamType string) oidcclient.Option
}
// clientOptions implements OIDCClientOptions for production use.
type clientOptions struct{}
var _ OIDCClientOptions = (*clientOptions)(nil)
func (o *clientOptions) WithContext(ctx context.Context) oidcclient.Option {
return oidcclient.WithContext(ctx)
}
func (o *clientOptions) WithLogger(logger logr.Logger) oidcclient.Option {
return oidcclient.WithLogger(logger)
}
func (o *clientOptions) WithListenPort(port uint16) oidcclient.Option {
return oidcclient.WithListenPort(port)
}
func (o *clientOptions) WithSkipBrowserOpen() oidcclient.Option {
return oidcclient.WithSkipBrowserOpen()
}
func (o *clientOptions) WithSkipListen() oidcclient.Option {
return oidcclient.WithSkipListen()
}
func (o *clientOptions) WithSkipPrintLoginURL() oidcclient.Option {
return oidcclient.WithSkipPrintLoginURL()
}
func (o *clientOptions) WithSessionCache(cache oidcclient.SessionCache) oidcclient.Option {
return oidcclient.WithSessionCache(cache)
}
func (o *clientOptions) WithClient(httpClient *http.Client) oidcclient.Option {
return oidcclient.WithClient(httpClient)
}
func (o *clientOptions) WithScopes(scopes []string) oidcclient.Option {
return oidcclient.WithScopes(scopes)
}
func (o *clientOptions) WithRequestAudience(audience string) oidcclient.Option {
return oidcclient.WithRequestAudience(audience)
}
func (o *clientOptions) WithLoginFlow(loginFlow v1alpha1.IDPFlow, flowSource string) oidcclient.Option {
return oidcclient.WithLoginFlow(loginFlow, flowSource)
}
func (o *clientOptions) WithUpstreamIdentityProvider(upstreamName, upstreamType string) oidcclient.Option {
return oidcclient.WithUpstreamIdentityProvider(upstreamName, upstreamType)
}

3
cmd/pinniped/cmd/version_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -126,7 +126,6 @@ func TestNewVersionCmd(t *testing.T) {
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
if tt.getBuildInfo != nil {
getBuildInfo = tt.getBuildInfo

6
cmd/pinniped/cmd/whoami_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
@@ -107,8 +107,7 @@ func TestWhoami(t *testing.T) {
Current user info:
Username: some-username
Groups:
`),
Groups:` + " \n"), // Linters and codeformatters don't like the extra space after "Groups:" and before the newline
},
{
name: "json output",
@@ -280,7 +279,6 @@ func TestWhoami(t *testing.T) {
},
}
for _, test := range tests {
test := test
t.Run(test.name, func(t *testing.T) {
getClientset := func(clientConfig clientcmd.ClientConfig, apiGroupSuffix string) (conciergeclientset.Interface, error) {
if test.gettingClientsetErr != nil {

2
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev

30
deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev
@@ -421,10 +421,15 @@ spec:
exist.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -434,10 +439,15 @@ spec:
encrypting state parameters is stored.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -447,10 +457,15 @@ spec:
signing state parameters is stored.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic
@@ -460,10 +475,15 @@ spec:
signing tokens is stored.
properties:
name:
default: ""
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
TODO: Add other useful fields. apiVersion, kind, uid?
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
type: string
type: object
x-kubernetes-map-type: atomic

2
deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

326
deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml Normal file
View File

@@ -0,0 +1,326 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

2
deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

8
deploy/supervisor/rbac.yaml
View File

@@ -56,6 +56,14 @@ rules:
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
resources: [activedirectoryidentityproviders/status]
verbs: [get, patch, update]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
resources: [githubidentityproviders]
verbs: [get, list, watch]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
resources: [githubidentityproviders/status]
verbs: [get, patch, update]
#! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set
#! as an owner reference.
- apiGroups: [""]

11
deploy/supervisor/z0_crd_overlay.yaml
View File

@@ -1,4 +1,4 @@
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
#! Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:overlay", "overlay")
@@ -41,6 +41,15 @@ metadata:
spec:
group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"githubidentityproviders.idp.supervisor.pinniped.dev"}}), expects=1
---
metadata:
#@overlay/match missing_ok=True
labels: #@ labels()
name: #@ pinnipedDevAPIGroupWithPrefix("githubidentityproviders.idp.supervisor")
spec:
group: #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"oidcclients.config.supervisor.pinniped.dev"}}), expects=1
---
metadata:

282
generated/1.24/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

4
generated/1.24/apis/supervisor/idp/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

215
generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
if in.Host != nil {
in, out := &in.Host, &out.Host
*out = new(string)
**out = **in
}
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.
func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig {
if in == nil {
return nil
}
out := new(GitHubAPIConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) {
*out = *in
in.Organizations.DeepCopyInto(&out.Organizations)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.
func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec {
if in == nil {
return nil
}
out := new(GitHubAllowAuthenticationSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) {
*out = *in
if in.Username != nil {
in, out := &in.Username, &out.Username
*out = new(GitHubUsernameAttribute)
**out = **in
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = new(GitHubGroupNameAttribute)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.
func (in *GitHubClaims) DeepCopy() *GitHubClaims {
if in == nil {
return nil
}
out := new(GitHubClaims)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.
func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec {
if in == nil {
return nil
}
out := new(GitHubClientSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.
func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider {
if in == nil {
return nil
}
out := new(GitHubIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]GitHubIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.
func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) {
*out = *in
in.GitHubAPI.DeepCopyInto(&out.GitHubAPI)
in.Claims.DeepCopyInto(&out.Claims)
in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication)
out.Client = in.Client
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.
func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.
func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) {
*out = *in
if in.Policy != nil {
in, out := &in.Policy, &out.Policy
*out = new(GitHubAllowedAuthOrganizationsPolicy)
**out = **in
}
if in.Allowed != nil {
in, out := &in.Allowed, &out.Allowed
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.
func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec {
if in == nil {
return nil
}
out := new(GitHubOrganizationsSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in

11
generated/1.24/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
@@ -54,7 +55,8 @@ type OIDCDiscoveryResponseIDPEndpoint struct {
// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
type IDPDiscoveryResponse struct {
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedSupportedIDPTypes []PinnipedSupportedIDPType `json:"pinniped_supported_identity_provider_types"`
}
// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
@@ -64,3 +66,8 @@ type PinnipedIDP struct {
Type IDPType `json:"type"`
Flows []IDPFlow `json:"flows,omitempty"`
}
// PinnipedSupportedIDPType describes a single identity provider type.
type PinnipedSupportedIDPType struct {
Type IDPType `json:"type"`
}

129
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,129 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface
type FakeGitHubIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"}
var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}

4
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated
View File

@@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a
return &FakeActiveDirectoryIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface {
return &FakeGitHubIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
return &FakeLDAPIdentityProviders{c, namespace}
}

2
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated
View File

@@ -7,6 +7,8 @@ package v1alpha1
type ActiveDirectoryIdentityProviderExpansion interface{}
type GitHubIdentityProviderExpansion interface{}
type LDAPIdentityProviderExpansion interface{}
type OIDCIdentityProviderExpansion interface{}

182
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,182 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface.
// A group's client should implement this interface.
type GitHubIdentityProvidersGetter interface {
GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface
}
// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources.
type GitHubIdentityProviderInterface interface {
Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error)
GitHubIdentityProviderExpansion
}
// gitHubIdentityProviders implements GitHubIdentityProviderInterface
type gitHubIdentityProviders struct {
client rest.Interface
ns string
}
// newGitHubIdentityProviders returns a GitHubIdentityProviders
func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders {
return &gitHubIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.GitHubIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
SubResource("status").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

5
generated/1.24/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated
View File

@@ -16,6 +16,7 @@ import (
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
ActiveDirectoryIdentityProvidersGetter
GitHubIdentityProvidersGetter
LDAPIdentityProvidersGetter
OIDCIdentityProvidersGetter
}
@@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A
return newActiveDirectoryIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface {
return newGitHubIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
return newLDAPIdentityProviders(c, namespace)
}

2
generated/1.24/client/supervisor/informers/externalversions/generic.go generated
View File

@@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):

77
generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,77 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.24/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.24/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.24/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

7
generated/1.24/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go generated
View File

@@ -13,6 +13,8 @@ import (
type Interface interface {
// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
GitHubIdentityProviders() GitHubIdentityProviderInformer
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
LDAPIdentityProviders() LDAPIdentityProviderInformer
// OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
@@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv
return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer {
return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer {
return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

8
generated/1.24/client/supervisor/listers/idp/v1alpha1/expansion_generated.go generated
View File

@@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{}
// ActiveDirectoryIdentityProviderNamespaceLister.
type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{}
// GitHubIdentityProviderListerExpansion allows custom methods to be added to
// GitHubIdentityProviderLister.
type GitHubIdentityProviderListerExpansion interface{}
// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// GitHubIdentityProviderNamespaceLister.
type GitHubIdentityProviderNamespaceListerExpansion interface{}
// LDAPIdentityProviderListerExpansion allows custom methods to be added to
// LDAPIdentityProviderLister.
type LDAPIdentityProviderListerExpansion interface{}

86
generated/1.24/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.24/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderLister helps list GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderLister interface {
// List lists all GitHubIdentityProviders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister
GitHubIdentityProviderListerExpansion
}
// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface.
type gitHubIdentityProviderLister struct {
indexer cache.Indexer
}
// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister.
func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister {
return &gitHubIdentityProviderLister{indexer: indexer}
}
// List lists all GitHubIdentityProviders in the indexer.
func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister {
return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderNamespaceLister interface {
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.GitHubIdentityProvider, error)
GitHubIdentityProviderNamespaceListerExpansion
}
// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister
// interface.
type gitHubIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name)
}
return obj.(*v1alpha1.GitHubIdentityProvider), nil
}

2
generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev

2
generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.24/crds/config.supervisor.pinniped.dev_oidcclients.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

326
generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated Normal file
View File

@@ -0,0 +1,326 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

2
generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

282
generated/1.25/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

4
generated/1.25/apis/supervisor/idp/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

215
generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
if in.Host != nil {
in, out := &in.Host, &out.Host
*out = new(string)
**out = **in
}
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.
func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig {
if in == nil {
return nil
}
out := new(GitHubAPIConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) {
*out = *in
in.Organizations.DeepCopyInto(&out.Organizations)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.
func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec {
if in == nil {
return nil
}
out := new(GitHubAllowAuthenticationSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) {
*out = *in
if in.Username != nil {
in, out := &in.Username, &out.Username
*out = new(GitHubUsernameAttribute)
**out = **in
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = new(GitHubGroupNameAttribute)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.
func (in *GitHubClaims) DeepCopy() *GitHubClaims {
if in == nil {
return nil
}
out := new(GitHubClaims)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.
func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec {
if in == nil {
return nil
}
out := new(GitHubClientSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.
func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider {
if in == nil {
return nil
}
out := new(GitHubIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]GitHubIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.
func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) {
*out = *in
in.GitHubAPI.DeepCopyInto(&out.GitHubAPI)
in.Claims.DeepCopyInto(&out.Claims)
in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication)
out.Client = in.Client
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.
func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.
func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) {
*out = *in
if in.Policy != nil {
in, out := &in.Policy, &out.Policy
*out = new(GitHubAllowedAuthOrganizationsPolicy)
**out = **in
}
if in.Allowed != nil {
in, out := &in.Allowed, &out.Allowed
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.
func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec {
if in == nil {
return nil
}
out := new(GitHubOrganizationsSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in

11
generated/1.25/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
@@ -54,7 +55,8 @@ type OIDCDiscoveryResponseIDPEndpoint struct {
// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
type IDPDiscoveryResponse struct {
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedSupportedIDPTypes []PinnipedSupportedIDPType `json:"pinniped_supported_identity_provider_types"`
}
// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
@@ -64,3 +66,8 @@ type PinnipedIDP struct {
Type IDPType `json:"type"`
Flows []IDPFlow `json:"flows,omitempty"`
}
// PinnipedSupportedIDPType describes a single identity provider type.
type PinnipedSupportedIDPType struct {
Type IDPType `json:"type"`
}

129
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,129 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface
type FakeGitHubIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"}
var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}

4
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated
View File

@@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a
return &FakeActiveDirectoryIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface {
return &FakeGitHubIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
return &FakeLDAPIdentityProviders{c, namespace}
}

2
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated
View File

@@ -7,6 +7,8 @@ package v1alpha1
type ActiveDirectoryIdentityProviderExpansion interface{}
type GitHubIdentityProviderExpansion interface{}
type LDAPIdentityProviderExpansion interface{}
type OIDCIdentityProviderExpansion interface{}

182
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,182 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface.
// A group's client should implement this interface.
type GitHubIdentityProvidersGetter interface {
GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface
}
// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources.
type GitHubIdentityProviderInterface interface {
Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error)
GitHubIdentityProviderExpansion
}
// gitHubIdentityProviders implements GitHubIdentityProviderInterface
type gitHubIdentityProviders struct {
client rest.Interface
ns string
}
// newGitHubIdentityProviders returns a GitHubIdentityProviders
func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders {
return &gitHubIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.GitHubIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
SubResource("status").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

5
generated/1.25/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated
View File

@@ -16,6 +16,7 @@ import (
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
ActiveDirectoryIdentityProvidersGetter
GitHubIdentityProvidersGetter
LDAPIdentityProvidersGetter
OIDCIdentityProvidersGetter
}
@@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A
return newActiveDirectoryIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface {
return newGitHubIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
return newLDAPIdentityProviders(c, namespace)
}

2
generated/1.25/client/supervisor/informers/externalversions/generic.go generated
View File

@@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):

77
generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,77 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.25/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.25/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.25/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

7
generated/1.25/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go generated
View File

@@ -13,6 +13,8 @@ import (
type Interface interface {
// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
GitHubIdentityProviders() GitHubIdentityProviderInformer
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
LDAPIdentityProviders() LDAPIdentityProviderInformer
// OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
@@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv
return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer {
return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer {
return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

8
generated/1.25/client/supervisor/listers/idp/v1alpha1/expansion_generated.go generated
View File

@@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{}
// ActiveDirectoryIdentityProviderNamespaceLister.
type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{}
// GitHubIdentityProviderListerExpansion allows custom methods to be added to
// GitHubIdentityProviderLister.
type GitHubIdentityProviderListerExpansion interface{}
// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// GitHubIdentityProviderNamespaceLister.
type GitHubIdentityProviderNamespaceListerExpansion interface{}
// LDAPIdentityProviderListerExpansion allows custom methods to be added to
// LDAPIdentityProviderLister.
type LDAPIdentityProviderListerExpansion interface{}

86
generated/1.25/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.25/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderLister helps list GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderLister interface {
// List lists all GitHubIdentityProviders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister
GitHubIdentityProviderListerExpansion
}
// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface.
type gitHubIdentityProviderLister struct {
indexer cache.Indexer
}
// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister.
func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister {
return &gitHubIdentityProviderLister{indexer: indexer}
}
// List lists all GitHubIdentityProviders in the indexer.
func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister {
return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderNamespaceLister interface {
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.GitHubIdentityProvider, error)
GitHubIdentityProviderNamespaceListerExpansion
}
// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister
// interface.
type gitHubIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name)
}
return obj.(*v1alpha1.GitHubIdentityProvider), nil
}

2
generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: webhookauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

2
generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: credentialissuers.config.concierge.pinniped.dev
spec:
group: config.concierge.pinniped.dev

2
generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: federationdomains.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.25/crds/config.supervisor.pinniped.dev_oidcclients.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcclients.config.supervisor.pinniped.dev
spec:
group: config.supervisor.pinniped.dev

2
generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

326
generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated Normal file
View File

@@ -0,0 +1,326 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
name: githubidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev
names:
categories:
- pinniped
- pinniped-idp
- pinniped-idps
kind: GitHubIdentityProvider
listKind: GitHubIdentityProviderList
plural: githubidentityproviders
singular: githubidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.githubAPI.host
name: Host
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
allowAuthentication:
description: AllowAuthentication allows customization of who can authenticate
using this IDP and how.
properties:
organizations:
description: Organizations allows customization of which organizations
can authenticate using this IDP.
properties:
allowed:
description: |-
Allowed, when specified, indicates that only users with membership in at least one of the listed
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
within that organization.
If no organizations are listed, you must set organizations: AllGitHubUsers.
items:
type: string
maxItems: 64
type: array
x-kubernetes-list-type: set
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
allowedOrganizations means all GitHub users are allowed to log in.
enum:
- OnlyUsersFromAllowedOrganizations
- AllGitHubUsers
type: string
type: object
x-kubernetes-validations:
- message: spec.allowAuthentication.organizations.policy must
be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed
has organizations listed
rule: '!(has(self.allowed) && size(self.allowed) > 0 && self.policy
== ''AllGitHubUsers'')'
- message: spec.allowAuthentication.organizations.policy must
be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed
is empty
rule: '!((!has(self.allowed) || size(self.allowed) == 0) &&
self.policy == ''OnlyUsersFromAllowedOrganizations'')'
required:
- organizations
type: object
claims:
default: {}
description: Claims allows customization of the username and groups
claims.
properties:
groups:
default: slug
description: |-
Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
Can be either "name" or "slug". Defaults to "slug".
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
the team name or slug.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these group names are presented to Kubernetes.
See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
enum:
- name
- slug
type: string
username:
default: login:id
description: |-
Username configures which property of the GitHub user record shall determine the username in Kubernetes.
Can be either "id", "login", or "login:id". Defaults to "login:id".
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
and may not start or end with hyphens. GitHub users are allowed to change their login name,
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
then a second user might change their name from "baz" to "foo" in order to take the old
username of the first user. For this reason, it is not as safe to make authorization decisions
based only on the user's login attribute.
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
FederationDomain to further customize how these usernames are presented to Kubernetes.
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
choice to concatenate the two values.
See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
enum:
- id
- login
- login:id
type: string
type: object
client:
description: Client identifies the secret with credentials for a GitHub
App or GitHub OAuth2 App (a GitHub client).
properties:
secretName:
description: |-
SecretName contains the name of a namespace-local Secret object that provides the clientID and
clientSecret for an GitHub App or GitHub OAuth2 client.
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
minLength: 1
type: string
required:
- secretName
type: object
githubAPI:
default: {}
description: GitHubAPI allows configuration for GitHub Enterprise
Server
properties:
host:
default: github.com
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
type: object
type: object
required:
- allowAuthentication
- client
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Conditions represents the observations of an identity
provider's current state.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
phase:
default: Pending
description: Phase summarizes the overall status of the GitHubIdentityProvider.
enum:
- Pending
- Ready
- Error
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}

2
generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: ldapidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

2
generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: oidcidentityproviders.idp.supervisor.pinniped.dev
spec:
group: idp.supervisor.pinniped.dev

282
generated/1.26/README.adoc generated
View File

@@ -1645,6 +1645,285 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
GitHubAPIConfig allows configuration for GitHub Enterprise Server
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec"]
==== GitHubAllowAuthenticationSpec
GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`organizations`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]__ | Organizations allows customization of which organizations can authenticate using this IDP. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy"]
==== GitHubAllowedAuthOrganizationsPolicy (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec[$$GitHubOrganizationsSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims"]
==== GitHubClaims
GitHubClaims allows customization of the username and groups claims.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`username`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute[$$GitHubUsernameAttribute$$]__ | Username configures which property of the GitHub user record shall determine the username in Kubernetes. +
Can be either "id", "login", or "login:id". Defaults to "login:id". +
GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens, +
and may not start or end with hyphens. GitHub users are allowed to change their login name, +
although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar", +
then a second user might change their name from "baz" to "foo" in order to take the old +
username of the first user. For this reason, it is not as safe to make authorization decisions +
based only on the user's login attribute. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these usernames are presented to Kubernetes. +
Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and +
unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value +
from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable +
choice to concatenate the two values. +
See the response schema for +
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user). +
| *`groups`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute[$$GitHubGroupNameAttribute$$]__ | Groups configures which property of the GitHub team record shall determine the group names in Kubernetes. +
Can be either "name" or "slug". Defaults to "slug". +
GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!"). +
GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins"). +
Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a +
forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters +
or single hyphens, so the first forward slash `/` will be the separator between the organization login name and +
the team name or slug. +
If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's +
FederationDomain to further customize how these group names are presented to Kubernetes. +
See the response schema for +
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec"]
==== GitHubClientSpec
GitHubClientSpec contains information about the GitHub client that this identity provider will use
for web-based login flows.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and +
clientSecret for an GitHub App or GitHub OAuth2 client. +
This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubgroupnameattribute"]
==== GitHubGroupNameAttribute (string)
GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
names to present to Kubernetes. See the response schema for
[List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider"]
==== GitHubIdentityProvider
GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
as OIDCClients.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderlist[$$GitHubIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec[$$GitHubIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +
| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]__ | Status of the identity provider. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase"]
==== GitHubIdentityProviderPhase (string)
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus[$$GitHubIdentityProviderStatus$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderspec"]
==== GitHubIdentityProviderSpec
GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`githubAPI`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]__ | GitHubAPI allows configuration for GitHub Enterprise Server +
| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]__ | Claims allows customization of the username and groups claims. +
| *`allowAuthentication`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]__ | AllowAuthentication allows customization of who can authenticate using this IDP and how. +
| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclientspec[$$GitHubClientSpec$$]__ | Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client). +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderstatus"]
==== GitHubIdentityProviderStatus
GitHubIdentityProviderStatus is the status of an GitHub identity provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityprovider[$$GitHubIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`phase`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubidentityproviderphase[$$GitHubIdentityProviderPhase$$]__ | Phase summarizes the overall status of the GitHubIdentityProvider. +
| *`conditions`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#condition-v1-meta[$$Condition$$] array__ | Conditions represents the observations of an identity provider's current state. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuborganizationsspec"]
==== GitHubOrganizationsSpec
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowauthenticationspec[$$GitHubAllowAuthenticationSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
allowedOrganizations means all GitHub users are allowed to log in. +
| *`allowed`* __string array__ | Allowed, when specified, indicates that only users with membership in at least one of the listed +
GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include +
teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be +
provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP. +
The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations, +
otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams +
within that organization. +
If no organizations are listed, you must set organizations: AllGitHubUsers. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubusernameattribute"]
==== GitHubUsernameAttribute (string)
GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
to Kubernetes. See the response schema for
[Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubclaims[$$GitHubClaims$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityprovider"]
==== LDAPIdentityProvider
@@ -2108,11 +2387,12 @@ Parameter is a key/value pair which represents a parameter in an HTTP request.
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for TLS parameters related to identity provider integration.
TLSSpec provides TLS configuration for identity provider integration.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-activedirectoryidentityproviderspec[$$ActiveDirectoryIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig[$$GitHubAPIConfig$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-ldapidentityproviderspec[$$LDAPIdentityProviderSpec$$]
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-oidcidentityproviderspec[$$OIDCIdentityProviderSpec$$]
****

4
generated/1.26/apis/supervisor/idp/v1alpha1/register.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -36,6 +36,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&LDAPIdentityProviderList{},
&ActiveDirectoryIdentityProvider{},
&ActiveDirectoryIdentityProviderList{},
&GitHubIdentityProvider{},
&GitHubIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

256
generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,256 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GitHubIdentityProviderPhase string
const (
// GitHubPhasePending is the default phase for newly-created GitHubIdentityProvider resources.
GitHubPhasePending GitHubIdentityProviderPhase = "Pending"
// GitHubPhaseReady is the phase for an GitHubIdentityProvider resource in a healthy state.
GitHubPhaseReady GitHubIdentityProviderPhase = "Ready"
// GitHubPhaseError is the phase for an GitHubIdentityProvider in an unhealthy state.
GitHubPhaseError GitHubIdentityProviderPhase = "Error"
)
type GitHubAllowedAuthOrganizationsPolicy string
const (
// GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers means any GitHub user is allowed to log in using this identity
// provider, regardless of their organization membership or lack thereof.
GitHubAllowedAuthOrganizationsPolicyAllGitHubUsers GitHubAllowedAuthOrganizationsPolicy = "AllGitHubUsers"
// GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations means only those users with membership in
// the listed GitHub organizations are allowed to log in.
GitHubAllowedAuthOrganizationsPolicyOnlyUsersFromAllowedOrganizations GitHubAllowedAuthOrganizationsPolicy = "OnlyUsersFromAllowedOrganizations"
)
// GitHubIdentityProviderStatus is the status of an GitHub identity provider.
type GitHubIdentityProviderStatus struct {
// Phase summarizes the overall status of the GitHubIdentityProvider.
//
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase GitHubIdentityProviderPhase `json:"phase,omitempty"`
// Conditions represents the observations of an identity provider's current state.
//
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// GitHubAPIConfig allows configuration for GitHub Enterprise Server
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
// +kubebuilder:default="github.com"
// +kubebuilder:validation:MinLength=1
// +optional
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// GitHubUsernameAttribute allows the user to specify which attribute(s) from GitHub to use for the username to present
// to Kubernetes. See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
type GitHubUsernameAttribute string
const (
// GitHubUsernameID specifies using the `id` attribute from the GitHub user for the username to present to Kubernetes.
GitHubUsernameID GitHubUsernameAttribute = "id"
// GitHubUsernameLogin specifies using the `login` attribute from the GitHub user as the username to present to Kubernetes.
GitHubUsernameLogin GitHubUsernameAttribute = "login"
// GitHubUsernameLoginAndID specifies combining the `login` and `id` attributes from the GitHub user as the
// username to present to Kubernetes, separated by a colon. Example: "my-login:1234"
GitHubUsernameLoginAndID GitHubUsernameAttribute = "login:id"
)
// GitHubGroupNameAttribute allows the user to specify which attribute from GitHub to use for the group
// names to present to Kubernetes. See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
type GitHubGroupNameAttribute string
const (
// GitHubUseTeamNameForGroupName specifies using the GitHub team's `name` attribute as the group name to present to Kubernetes.
GitHubUseTeamNameForGroupName GitHubGroupNameAttribute = "name"
// GitHubUseTeamSlugForGroupName specifies using the GitHub team's `slug` attribute as the group name to present to Kubernetes.
GitHubUseTeamSlugForGroupName GitHubGroupNameAttribute = "slug"
)
// GitHubClaims allows customization of the username and groups claims.
type GitHubClaims struct {
// Username configures which property of the GitHub user record shall determine the username in Kubernetes.
//
// Can be either "id", "login", or "login:id". Defaults to "login:id".
//
// GitHub's user login attributes can only contain alphanumeric characters and non-repeating hyphens,
// and may not start or end with hyphens. GitHub users are allowed to change their login name,
// although it is inconvenient. If a GitHub user changed their login name from "foo" to "bar",
// then a second user might change their name from "baz" to "foo" in order to take the old
// username of the first user. For this reason, it is not as safe to make authorization decisions
// based only on the user's login attribute.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these usernames are presented to Kubernetes.
//
// Defaults to "login:id", which is the user login attribute, followed by a colon, followed by the unique and
// unchanging integer ID number attribute. This blends human-readable login names with the unchanging ID value
// from GitHub. Colons are not allowed in GitHub login attributes or ID numbers, so this is a reasonable
// choice to concatenate the two values.
//
// See the response schema for
// [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user).
//
// +kubebuilder:default="login:id"
// +kubebuilder:validation:Enum={"id","login","login:id"}
// +optional
Username *GitHubUsernameAttribute `json:"username"`
// Groups configures which property of the GitHub team record shall determine the group names in Kubernetes.
//
// Can be either "name" or "slug". Defaults to "slug".
//
// GitHub team names can contain upper and lower case characters, whitespace, and punctuation (e.g. "Kube admins!").
//
// GitHub team slugs are lower case alphanumeric characters and may contain dashes and underscores (e.g. "kube-admins").
//
// Group names as presented to Kubernetes will always be prefixed by the GitHub organization name followed by a
// forward slash (e.g. "my-org/my-team"). GitHub organization login names can only contain alphanumeric characters
// or single hyphens, so the first forward slash `/` will be the separator between the organization login name and
// the team name or slug.
//
// If desired, an admin could configure identity transformation expressions on the Pinniped Supervisor's
// FederationDomain to further customize how these group names are presented to Kubernetes.
//
// See the response schema for
// [List teams for the authenticated user](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
//
// +kubebuilder:default=slug
// +kubebuilder:validation:Enum=name;slug
// +optional
Groups *GitHubGroupNameAttribute `json:"groups"`
}
// GitHubClientSpec contains information about the GitHub client that this identity provider will use
// for web-based login flows.
type GitHubClientSpec struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an GitHub App or GitHub OAuth2 client.
//
// This secret must be of type "secrets.pinniped.dev/github-client" with keys "clientID" and "clientSecret".
//
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.
//
// +kubebuilder:default=OnlyUsersFromAllowedOrganizations
// +kubebuilder:validation:Enum=OnlyUsersFromAllowedOrganizations;AllGitHubUsers
// +optional
Policy *GitHubAllowedAuthOrganizationsPolicy `json:"policy"`
// Allowed, when specified, indicates that only users with membership in at least one of the listed
// GitHub organizations may log in. In addition, the group membership presented to Kubernetes will only include
// teams within the listed GitHub organizations. Additional login rules or group filtering can optionally be
// provided as policy expression on any Pinniped Supervisor FederationDomain that includes this IDP.
//
// The configured GitHub App or GitHub OAuth App must be allowed to see membership in the listed organizations,
// otherwise Pinniped will not be aware that the user belongs to the listed organization or any teams
// within that organization.
//
// If no organizations are listed, you must set organizations: AllGitHubUsers.
//
// +kubebuilder:validation:MaxItems=64
// +listType=set
// +optional
Allowed []string `json:"allowed,omitempty"`
}
// GitHubAllowAuthenticationSpec allows customization of who can authenticate using this IDP and how.
type GitHubAllowAuthenticationSpec struct {
// Organizations allows customization of which organizations can authenticate using this IDP.
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'OnlyUsersFromAllowedOrganizations' when spec.allowAuthentication.organizations.allowed has organizations listed",rule="!(has(self.allowed) && size(self.allowed) > 0 && self.policy == 'AllGitHubUsers')"
// +kubebuilder:validation:XValidation:message="spec.allowAuthentication.organizations.policy must be 'AllGitHubUsers' when spec.allowAuthentication.organizations.allowed is empty",rule="!((!has(self.allowed) || size(self.allowed) == 0) && self.policy == 'OnlyUsersFromAllowedOrganizations')"
Organizations GitHubOrganizationsSpec `json:"organizations"`
}
// GitHubIdentityProviderSpec is the spec for configuring an GitHub identity provider.
type GitHubIdentityProviderSpec struct {
// GitHubAPI allows configuration for GitHub Enterprise Server
//
// +kubebuilder:default={}
GitHubAPI GitHubAPIConfig `json:"githubAPI,omitempty"`
// Claims allows customization of the username and groups claims.
//
// +kubebuilder:default={}
Claims GitHubClaims `json:"claims,omitempty"`
// AllowAuthentication allows customization of who can authenticate using this IDP and how.
AllowAuthentication GitHubAllowAuthenticationSpec `json:"allowAuthentication"`
// Client identifies the secret with credentials for a GitHub App or GitHub OAuth2 App (a GitHub client).
Client GitHubClientSpec `json:"client"`
}
// GitHubIdentityProvider describes the configuration of an upstream GitHub identity provider.
// This upstream provider can be configured with either a GitHub App or a GitHub OAuth2 App.
//
// Right now, only web-based logins are supported, for both the pinniped-cli client and clients configured
// as OIDCClients.
//
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps
// +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.githubAPI.host`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type GitHubIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec GitHubIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status GitHubIdentityProviderStatus `json:"status,omitempty"`
}
// GitHubIdentityProviderList lists GitHubIdentityProvider objects.
//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GitHubIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []GitHubIdentityProvider `json:"items"`
}

4
generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -1,9 +1,9 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for TLS parameters related to identity provider integration.
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional

215
generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -203,6 +203,221 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
if in.Host != nil {
in, out := &in.Host, &out.Host
*out = new(string)
**out = **in
}
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAPIConfig.
func (in *GitHubAPIConfig) DeepCopy() *GitHubAPIConfig {
if in == nil {
return nil
}
out := new(GitHubAPIConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAllowAuthenticationSpec) DeepCopyInto(out *GitHubAllowAuthenticationSpec) {
*out = *in
in.Organizations.DeepCopyInto(&out.Organizations)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubAllowAuthenticationSpec.
func (in *GitHubAllowAuthenticationSpec) DeepCopy() *GitHubAllowAuthenticationSpec {
if in == nil {
return nil
}
out := new(GitHubAllowAuthenticationSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClaims) DeepCopyInto(out *GitHubClaims) {
*out = *in
if in.Username != nil {
in, out := &in.Username, &out.Username
*out = new(GitHubUsernameAttribute)
**out = **in
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = new(GitHubGroupNameAttribute)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClaims.
func (in *GitHubClaims) DeepCopy() *GitHubClaims {
if in == nil {
return nil
}
out := new(GitHubClaims)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubClientSpec) DeepCopyInto(out *GitHubClientSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubClientSpec.
func (in *GitHubClientSpec) DeepCopy() *GitHubClientSpec {
if in == nil {
return nil
}
out := new(GitHubClientSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProvider) DeepCopyInto(out *GitHubIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProvider.
func (in *GitHubIdentityProvider) DeepCopy() *GitHubIdentityProvider {
if in == nil {
return nil
}
out := new(GitHubIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderList) DeepCopyInto(out *GitHubIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]GitHubIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderList.
func (in *GitHubIdentityProviderList) DeepCopy() *GitHubIdentityProviderList {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *GitHubIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderSpec) DeepCopyInto(out *GitHubIdentityProviderSpec) {
*out = *in
in.GitHubAPI.DeepCopyInto(&out.GitHubAPI)
in.Claims.DeepCopyInto(&out.Claims)
in.AllowAuthentication.DeepCopyInto(&out.AllowAuthentication)
out.Client = in.Client
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderSpec.
func (in *GitHubIdentityProviderSpec) DeepCopy() *GitHubIdentityProviderSpec {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubIdentityProviderStatus) DeepCopyInto(out *GitHubIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubIdentityProviderStatus.
func (in *GitHubIdentityProviderStatus) DeepCopy() *GitHubIdentityProviderStatus {
if in == nil {
return nil
}
out := new(GitHubIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubOrganizationsSpec) DeepCopyInto(out *GitHubOrganizationsSpec) {
*out = *in
if in.Policy != nil {
in, out := &in.Policy, &out.Policy
*out = new(GitHubAllowedAuthOrganizationsPolicy)
**out = **in
}
if in.Allowed != nil {
in, out := &in.Allowed, &out.Allowed
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitHubOrganizationsSpec.
func (in *GitHubOrganizationsSpec) DeepCopy() *GitHubOrganizationsSpec {
if in == nil {
return nil
}
out := new(GitHubOrganizationsSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider) {
*out = *in

11
generated/1.26/apis/supervisor/idpdiscovery/v1alpha1/types_supervisor_idp_discovery.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -15,6 +15,7 @@ const (
IDPTypeOIDC IDPType = "oidc"
IDPTypeLDAP IDPType = "ldap"
IDPTypeActiveDirectory IDPType = "activedirectory"
IDPTypeGitHub IDPType = "github"
IDPFlowCLIPassword IDPFlow = "cli_password"
IDPFlowBrowserAuthcode IDPFlow = "browser_authcode"
@@ -54,7 +55,8 @@ type OIDCDiscoveryResponseIDPEndpoint struct {
// IDPDiscoveryResponse is the response of a FederationDomain's identity provider discovery endpoint.
type IDPDiscoveryResponse struct {
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedIDPs []PinnipedIDP `json:"pinniped_identity_providers"`
PinnipedSupportedIDPTypes []PinnipedSupportedIDPType `json:"pinniped_supported_identity_provider_types"`
}
// PinnipedIDP describes a single identity provider as included in the response of a FederationDomain's
@@ -64,3 +66,8 @@ type PinnipedIDP struct {
Type IDPType `json:"type"`
Flows []IDPFlow `json:"flows,omitempty"`
}
// PinnipedSupportedIDPType describes a single identity provider type.
type PinnipedSupportedIDPType struct {
Type IDPType `json:"type"`
}

129
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,129 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeGitHubIdentityProviders implements GitHubIdentityProviderInterface
type FakeGitHubIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var githubidentityprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "githubidentityproviders"}
var githubidentityprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "GitHubIdentityProvider"}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *FakeGitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(githubidentityprovidersResource, c.ns, name), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *FakeGitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(githubidentityprovidersResource, githubidentityprovidersKind, c.ns, opts), &v1alpha1.GitHubIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.GitHubIdentityProviderList{ListMeta: obj.(*v1alpha1.GitHubIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.GitHubIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *FakeGitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(githubidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *FakeGitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(githubidentityprovidersResource, c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeGitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(githubidentityprovidersResource, "status", c.ns, gitHubIdentityProvider), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeGitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(githubidentityprovidersResource, c.ns, name, opts), &v1alpha1.GitHubIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeGitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(githubidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.GitHubIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *FakeGitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(githubidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.GitHubIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.GitHubIdentityProvider), err
}

4
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated
View File

@@ -19,6 +19,10 @@ func (c *FakeIDPV1alpha1) ActiveDirectoryIdentityProviders(namespace string) v1a
return &FakeActiveDirectoryIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) GitHubIdentityProviders(namespace string) v1alpha1.GitHubIdentityProviderInterface {
return &FakeGitHubIdentityProviders{c, namespace}
}
func (c *FakeIDPV1alpha1) LDAPIdentityProviders(namespace string) v1alpha1.LDAPIdentityProviderInterface {
return &FakeLDAPIdentityProviders{c, namespace}
}

2
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated
View File

@@ -7,6 +7,8 @@ package v1alpha1
type ActiveDirectoryIdentityProviderExpansion interface{}
type GitHubIdentityProviderExpansion interface{}
type LDAPIdentityProviderExpansion interface{}
type OIDCIdentityProviderExpansion interface{}

182
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,182 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
scheme "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// GitHubIdentityProvidersGetter has a method to return a GitHubIdentityProviderInterface.
// A group's client should implement this interface.
type GitHubIdentityProvidersGetter interface {
GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface
}
// GitHubIdentityProviderInterface has methods to work with GitHubIdentityProvider resources.
type GitHubIdentityProviderInterface interface {
Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.GitHubIdentityProvider, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.GitHubIdentityProvider, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.GitHubIdentityProviderList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error)
GitHubIdentityProviderExpansion
}
// gitHubIdentityProviders implements GitHubIdentityProviderInterface
type gitHubIdentityProviders struct {
client rest.Interface
ns string
}
// newGitHubIdentityProviders returns a GitHubIdentityProviders
func newGitHubIdentityProviders(c *IDPV1alpha1Client, namespace string) *gitHubIdentityProviders {
return &gitHubIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the gitHubIdentityProvider, and returns the corresponding gitHubIdentityProvider object, and an error if there is any.
func (c *gitHubIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of GitHubIdentityProviders that match those selectors.
func (c *gitHubIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.GitHubIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.GitHubIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested gitHubIdentityProviders.
func (c *gitHubIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a gitHubIdentityProvider and creates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Create(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a gitHubIdentityProvider and updates it. Returns the server's representation of the gitHubIdentityProvider, and an error, if there is any.
func (c *gitHubIdentityProviders) Update(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *gitHubIdentityProviders) UpdateStatus(ctx context.Context, gitHubIdentityProvider *v1alpha1.GitHubIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(gitHubIdentityProvider.Name).
SubResource("status").
VersionedParams(&opts, scheme.ParameterCodec).
Body(gitHubIdentityProvider).
Do(ctx).
Into(result)
return
}
// Delete takes name of the gitHubIdentityProvider and deletes it. Returns an error if one occurs.
func (c *gitHubIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *gitHubIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("githubidentityproviders").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched gitHubIdentityProvider.
func (c *gitHubIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.GitHubIdentityProvider, err error) {
result = &v1alpha1.GitHubIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("githubidentityproviders").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

5
generated/1.26/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated
View File

@@ -16,6 +16,7 @@ import (
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
ActiveDirectoryIdentityProvidersGetter
GitHubIdentityProvidersGetter
LDAPIdentityProvidersGetter
OIDCIdentityProvidersGetter
}
@@ -29,6 +30,10 @@ func (c *IDPV1alpha1Client) ActiveDirectoryIdentityProviders(namespace string) A
return newActiveDirectoryIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) GitHubIdentityProviders(namespace string) GitHubIdentityProviderInterface {
return newGitHubIdentityProviders(c, namespace)
}
func (c *IDPV1alpha1Client) LDAPIdentityProviders(namespace string) LDAPIdentityProviderInterface {
return newLDAPIdentityProviders(c, namespace)
}

2
generated/1.26/client/supervisor/informers/externalversions/generic.go generated
View File

@@ -49,6 +49,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=idp.supervisor.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("activedirectoryidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().ActiveDirectoryIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("githubidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().GitHubIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("ldapidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().LDAPIdentityProviders().Informer()}, nil
case idpv1alpha1.SchemeGroupVersion.WithResource("oidcidentityproviders"):

77
generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,77 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
versioned "go.pinniped.dev/generated/1.26/client/supervisor/clientset/versioned"
internalinterfaces "go.pinniped.dev/generated/1.26/client/supervisor/informers/externalversions/internalinterfaces"
v1alpha1 "go.pinniped.dev/generated/1.26/client/supervisor/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderInformer provides access to a shared informer and lister for
// GitHubIdentityProviders.
type GitHubIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.GitHubIdentityProviderLister
}
type gitHubIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredGitHubIdentityProviderInformer constructs a new informer for GitHubIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredGitHubIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().GitHubIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.GitHubIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *gitHubIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredGitHubIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *gitHubIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.GitHubIdentityProvider{}, f.defaultInformer)
}
func (f *gitHubIdentityProviderInformer) Lister() v1alpha1.GitHubIdentityProviderLister {
return v1alpha1.NewGitHubIdentityProviderLister(f.Informer().GetIndexer())
}

7
generated/1.26/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go generated
View File

@@ -13,6 +13,8 @@ import (
type Interface interface {
// ActiveDirectoryIdentityProviders returns a ActiveDirectoryIdentityProviderInformer.
ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProviderInformer
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
GitHubIdentityProviders() GitHubIdentityProviderInformer
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
LDAPIdentityProviders() LDAPIdentityProviderInformer
// OIDCIdentityProviders returns a OIDCIdentityProviderInformer.
@@ -35,6 +37,11 @@ func (v *version) ActiveDirectoryIdentityProviders() ActiveDirectoryIdentityProv
return &activeDirectoryIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// GitHubIdentityProviders returns a GitHubIdentityProviderInformer.
func (v *version) GitHubIdentityProviders() GitHubIdentityProviderInformer {
return &gitHubIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// LDAPIdentityProviders returns a LDAPIdentityProviderInformer.
func (v *version) LDAPIdentityProviders() LDAPIdentityProviderInformer {
return &lDAPIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

8
generated/1.26/client/supervisor/listers/idp/v1alpha1/expansion_generated.go generated
View File

@@ -13,6 +13,14 @@ type ActiveDirectoryIdentityProviderListerExpansion interface{}
// ActiveDirectoryIdentityProviderNamespaceLister.
type ActiveDirectoryIdentityProviderNamespaceListerExpansion interface{}
// GitHubIdentityProviderListerExpansion allows custom methods to be added to
// GitHubIdentityProviderLister.
type GitHubIdentityProviderListerExpansion interface{}
// GitHubIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// GitHubIdentityProviderNamespaceLister.
type GitHubIdentityProviderNamespaceListerExpansion interface{}
// LDAPIdentityProviderListerExpansion allows custom methods to be added to
// LDAPIdentityProviderLister.
type LDAPIdentityProviderListerExpansion interface{}

86
generated/1.26/client/supervisor/listers/idp/v1alpha1/githubidentityprovider.go generated Normal file
View File

@@ -0,0 +1,86 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "go.pinniped.dev/generated/1.26/apis/supervisor/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// GitHubIdentityProviderLister helps list GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderLister interface {
// List lists all GitHubIdentityProviders in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister
GitHubIdentityProviderListerExpansion
}
// gitHubIdentityProviderLister implements the GitHubIdentityProviderLister interface.
type gitHubIdentityProviderLister struct {
indexer cache.Indexer
}
// NewGitHubIdentityProviderLister returns a new GitHubIdentityProviderLister.
func NewGitHubIdentityProviderLister(indexer cache.Indexer) GitHubIdentityProviderLister {
return &gitHubIdentityProviderLister{indexer: indexer}
}
// List lists all GitHubIdentityProviders in the indexer.
func (s *gitHubIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// GitHubIdentityProviders returns an object that can list and get GitHubIdentityProviders.
func (s *gitHubIdentityProviderLister) GitHubIdentityProviders(namespace string) GitHubIdentityProviderNamespaceLister {
return gitHubIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// GitHubIdentityProviderNamespaceLister helps list and get GitHubIdentityProviders.
// All objects returned here must be treated as read-only.
type GitHubIdentityProviderNamespaceLister interface {
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error)
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.GitHubIdentityProvider, error)
GitHubIdentityProviderNamespaceListerExpansion
}
// gitHubIdentityProviderNamespaceLister implements the GitHubIdentityProviderNamespaceLister
// interface.
type gitHubIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all GitHubIdentityProviders in the indexer for a given namespace.
func (s gitHubIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.GitHubIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.GitHubIdentityProvider))
})
return ret, err
}
// Get retrieves the GitHubIdentityProvider from the indexer for a given namespace and name.
func (s gitHubIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.GitHubIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("githubidentityprovider"), name)
}
return obj.(*v1alpha1.GitHubIdentityProvider), nil
}

2
generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: jwtauthenticators.authentication.concierge.pinniped.dev
spec:
group: authentication.concierge.pinniped.dev

Some files were not shown because too many files have changed in this diff Show More