ContainerImage.Pinniped/generated/1.22/crds/config.supervisor.pinniped....

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.8.0
  creationTimestamp: null
  name: oidcclients.config.supervisor.pinniped.dev
spec:
  group: config.supervisor.pinniped.dev
  names:
    categories:
    - pinniped
    kind: OIDCClient
    listKind: OIDCClientList
    plural: oidcclients
    singular: oidcclient
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")]
      name: Privileged Scopes
      type: string
    - jsonPath: .status.totalClientSecrets
      name: Client Secrets
      type: integer
    - jsonPath: .status.phase
      name: Status
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: OIDCClient describes the configuration of an OIDC client.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec of the OIDC client.
            properties:
              allowedGrantTypes:
                description: "allowedGrantTypes is a list of the allowed grant_type
                  param values that should be accepted during OIDC flows with this
                  client. \n Must only contain the following values: - authorization_code:
                  allows the client to perform the authorization code grant flow,
                  i.e. allows the webapp to authenticate users. This grant must always
                  be listed. - refresh_token: allows the client to perform refresh
                  grants for the user to extend the user's session. This grant must
                  be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange:
                  allows the client to perform RFC8693 token exchange, which is a
                  step in the process to be able to get a cluster credential for the
                  user. This grant must be listed if allowedScopes lists pinniped:request-audience."
                items:
                  enum:
                  - authorization_code
                  - refresh_token
                  - urn:ietf:params:oauth:grant-type:token-exchange
                  type: string
                minItems: 1
                type: array
                x-kubernetes-list-type: set
              allowedRedirectURIs:
                description: allowedRedirectURIs is a list of the allowed redirect_uri
                  param values that should be accepted during OIDC flows with this
                  client. Any other uris will be rejected. Must be a URI with the
                  https scheme, unless the hostname is 127.0.0.1 or ::1 which may
                  use the http scheme. Port numbers are not required for 127.0.0.1
                  or ::1 and are ignored when checking for a matching redirect_uri.
                items:
                  pattern: ^https://.+|^http://(127\.0\.0\.1|\[::1\])(:\d+)?/
                  type: string
                minItems: 1
                type: array
                x-kubernetes-list-type: set
              allowedScopes:
                description: "allowedScopes is a list of the allowed scopes param
                  values that should be accepted during OIDC flows with this client.
                  \n Must only contain the following values: - openid: The client
                  is allowed to request ID tokens. ID tokens only include the required
                  claims by default (iss, sub, aud, exp, iat). This scope must always
                  be listed. - offline_access: The client is allowed to request an
                  initial refresh token during the authorization code grant flow.
                  This scope must be listed if allowedGrantTypes lists refresh_token.
                  - pinniped:request-audience: The client is allowed to request a
                  new audience value during a RFC8693 token exchange, which is a step
                  in the process to be able to get a cluster credential for the user.
                  openid, username and groups scopes must be listed when this scope
                  is present. This scope must be listed if allowedGrantTypes lists
                  urn:ietf:params:oauth:grant-type:token-exchange. - username: The
                  client is allowed to request that ID tokens contain the user's username.
                  Without the username scope being requested and allowed, the ID token
                  will not contain the user's username. - groups: The client is allowed
                  to request that ID tokens contain the user's group membership, if
                  their group membership is discoverable by the Supervisor. Without
                  the groups scope being requested and allowed, the ID token will
                  not contain groups."
                items:
                  enum:
                  - openid
                  - offline_access
                  - username
                  - groups
                  - pinniped:request-audience
                  type: string
                minItems: 1
                type: array
                x-kubernetes-list-type: set
            required:
            - allowedGrantTypes
            - allowedRedirectURIs
            - allowedScopes
            type: object
          status:
            description: Status of the OIDC client.
            properties:
              conditions:
                description: conditions represent the observations of an OIDCClient's
                  current state.
                items:
                  description: Condition status of a resource (mirrored from the metav1.Condition
                    type added in Kubernetes 1.19). In a future API version we can
                    switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
                  properties:
                    lastTransitionTime:
                      description: lastTransitionTime is the last time the condition
                        transitioned from one status to another. This should be when
                        the underlying condition changed.  If that is not known, then
                        using the time when the API field changed is acceptable.
                      format: date-time
                      type: string
                    message:
                      description: message is a human readable message indicating
                        details about the transition. This may be an empty string.
                      maxLength: 32768
                      type: string
                    observedGeneration:
                      description: observedGeneration represents the .metadata.generation
                        that the condition was set based upon. For instance, if .metadata.generation
                        is currently 12, but the .status.conditions[x].observedGeneration
                        is 9, the condition is out of date with respect to the current
                        state of the instance.
                      format: int64
                      minimum: 0
                      type: integer
                    reason:
                      description: reason contains a programmatic identifier indicating
                        the reason for the condition's last transition. Producers
                        of specific condition types may define expected values and
                        meanings for this field, and whether the values are considered
                        a guaranteed API. The value should be a CamelCase string.
                        This field may not be empty.
                      maxLength: 1024
                      minLength: 1
                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      type: string
                    status:
                      description: status of the condition, one of True, False, Unknown.
                      enum:
                      - "True"
                      - "False"
                      - Unknown
                      type: string
                    type:
                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                        --- Many .condition.type values are consistent across resources
                        like Available, but because arbitrary conditions can be useful
                        (see .node.status.conditions), the ability to deconflict is
                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                      maxLength: 316
                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                      type: string
                  required:
                  - lastTransitionTime
                  - message
                  - reason
                  - status
                  - type
                  type: object
                type: array
                x-kubernetes-list-map-keys:
                - type
                x-kubernetes-list-type: map
              phase:
                default: Pending
                description: phase summarizes the overall status of the OIDCClient.
                enum:
                - Pending
                - Ready
                - Error
                type: string
              totalClientSecrets:
                description: totalClientSecrets is the current number of client secrets
                  that are detected for this OIDCClient.
                format: int32
                type: integer
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`---`
			`apiVersion: apiextensions.k8s.io/v1`
			`kind: CustomResourceDefinition`
			`metadata:`
			`annotations:`
			`controller-gen.kubebuilder.io/version: v0.8.0`
			`creationTimestamp: null`
Move oidcclient into config.supervisor.pinniped.dev Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-13 22:48:54 +00:00			`name: oidcclients.config.supervisor.pinniped.dev`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`spec:`
Move oidcclient into config.supervisor.pinniped.dev Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-13 22:48:54 +00:00			`group: config.supervisor.pinniped.dev`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`names:`
			`categories:`
			`- pinniped`
			`kind: OIDCClient`
			`listKind: OIDCClientList`
			`plural: oidcclients`
			`singular: oidcclient`
			`scope: Namespaced`
			`versions:`
			`- additionalPrinterColumns:`
Configure printer columns for OIDCClient CRD 2022-07-21 23:40:03 +00:00			`- jsonPath: .spec.allowedScopes[?(@ == "pinniped:request-audience")]`
			`name: Privileged Scopes`
			`type: string`
			`- jsonPath: .status.totalClientSecrets`
			`name: Client Secrets`
			`type: integer`
			`- jsonPath: .status.phase`
			`name: Status`
			`type: string`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`- jsonPath: .metadata.creationTimestamp`
			`name: Age`
			`type: date`
			`name: v1alpha1`
			`schema:`
			`openAPIV3Schema:`
			`description: OIDCClient describes the configuration of an OIDC client.`
			`properties:`
			`apiVersion:`
			`description: 'APIVersion defines the versioned schema of this representation`
			`of an object. Servers should convert recognized schemas to the latest`
			`internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'`
			`type: string`
			`kind:`
			`description: 'Kind is a string value representing the REST resource this`
			`object represents. Servers may infer this from the endpoint the client`
			`submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'`
			`type: string`
			`metadata:`
			`type: object`
			`spec:`
Fix typo in oidcclient spec and status descriptions Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-06 14:38:57 +00:00			`description: Spec of the OIDC client.`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`properties:`
			`allowedGrantTypes:`
			`description: "allowedGrantTypes is a list of the allowed grant_type`
			`param values that should be accepted during OIDC flows with this`
			`client. \n Must only contain the following values: - authorization_code:`
			`allows the client to perform the authorization code grant flow,`
			`i.e. allows the webapp to authenticate users. This grant must always`
			`be listed. - refresh_token: allows the client to perform refresh`
			`grants for the user to extend the user's session. This grant must`
			`be listed if allowedScopes lists offline_access. - urn:ietf:params:oauth:grant-type:token-exchange:`
			`allows the client to perform RFC8693 token exchange, which is a`
			`step in the process to be able to get a cluster credential for the`
			`user. This grant must be listed if allowedScopes lists pinniped:request-audience."`
			`items:`
Add enum validation for scopes and grant types Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-06 17:15:25 +00:00			`enum:`
			`- authorization_code`
			`- refresh_token`
			`- urn:ietf:params:oauth:grant-type:token-exchange`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`type: string`
			`minItems: 1`
			`type: array`
Static validation for OIDC clients The following validation is enforced: 1. Names must start with client.oauth.pinniped.dev- 2. Redirect URIs must start with https:// or http://127.0.0.1 or http://::1 3. All spec lists must not have duplicates Added an integration test to assert all static validations. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-14 00:06:47 +00:00			`x-kubernetes-list-type: set`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`allowedRedirectURIs:`
			`description: allowedRedirectURIs is a list of the allowed redirect_uri`
			`param values that should be accepted during OIDC flows with this`
Static validation for OIDC clients The following validation is enforced: 1. Names must start with client.oauth.pinniped.dev- 2. Redirect URIs must start with https:// or http://127.0.0.1 or http://::1 3. All spec lists must not have duplicates Added an integration test to assert all static validations. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-14 00:06:47 +00:00			`client. Any other uris will be rejected. Must be a URI with the`
			`https scheme, unless the hostname is 127.0.0.1 or ::1 which may`
			`use the http scheme. Port numbers are not required for 127.0.0.1`
			`or ::1 and are ignored when checking for a matching redirect_uri.`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`items:`
Static validation for OIDC clients The following validation is enforced: 1. Names must start with client.oauth.pinniped.dev- 2. Redirect URIs must start with https:// or http://127.0.0.1 or http://::1 3. All spec lists must not have duplicates Added an integration test to assert all static validations. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-14 00:06:47 +00:00			`pattern: ^https://.+\|^http://(127\.0\.0\.1\|\[::1\])(:\d+)?/`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`type: string`
			`minItems: 1`
			`type: array`
Static validation for OIDC clients The following validation is enforced: 1. Names must start with client.oauth.pinniped.dev- 2. Redirect URIs must start with https:// or http://127.0.0.1 or http://::1 3. All spec lists must not have duplicates Added an integration test to assert all static validations. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-14 00:06:47 +00:00			`x-kubernetes-list-type: set`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`allowedScopes:`
			`description: "allowedScopes is a list of the allowed scopes param`
			`values that should be accepted during OIDC flows with this client.`
			`\n Must only contain the following values: - openid: The client`
			`is allowed to request ID tokens. ID tokens only include the required`
			`claims by default (iss, sub, aud, exp, iat). This scope must always`
			`be listed. - offline_access: The client is allowed to request an`
			`initial refresh token during the authorization code grant flow.`
			`This scope must be listed if allowedGrantTypes lists refresh_token.`
			`- pinniped:request-audience: The client is allowed to request a`
			`new audience value during a RFC8693 token exchange, which is a step`
			`in the process to be able to get a cluster credential for the user.`
			`openid, username and groups scopes must be listed when this scope`
			`is present. This scope must be listed if allowedGrantTypes lists`
			`urn:ietf:params:oauth:grant-type:token-exchange. - username: The`
			`client is allowed to request that ID tokens contain the user's username.`
			`Without the username scope being requested and allowed, the ID token`
			`will not contain the user's username. - groups: The client is allowed`
			`to request that ID tokens contain the user's group membership, if`
			`their group membership is discoverable by the Supervisor. Without`
			`the groups scope being requested and allowed, the ID token will`
			`not contain groups."`
			`items:`
Add enum validation for scopes and grant types Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-06 17:15:25 +00:00			`enum:`
			`- openid`
			`- offline_access`
			`- username`
			`- groups`
			`- pinniped:request-audience`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`type: string`
			`minItems: 1`
			`type: array`
Static validation for OIDC clients The following validation is enforced: 1. Names must start with client.oauth.pinniped.dev- 2. Redirect URIs must start with https:// or http://127.0.0.1 or http://::1 3. All spec lists must not have duplicates Added an integration test to assert all static validations. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-14 00:06:47 +00:00			`x-kubernetes-list-type: set`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`required:`
			`- allowedGrantTypes`
			`- allowedRedirectURIs`
			`- allowedScopes`
			`type: object`
			`status:`
Fix typo in oidcclient spec and status descriptions Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-06 14:38:57 +00:00			`description: Status of the OIDC client.`
New controller watches OIDCClients and updates validation Conditions 2022-06-17 16:56:53 +00:00			`properties:`
			`conditions:`
OIDCClient watcher controller updates based on PR feedback 2022-07-06 17:34:24 +00:00			`description: conditions represent the observations of an OIDCClient's`
			`current state.`
New controller watches OIDCClients and updates validation Conditions 2022-06-17 16:56:53 +00:00			`items:`
			`description: Condition status of a resource (mirrored from the metav1.Condition`
			`type added in Kubernetes 1.19). In a future API version we can`
			`switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.`
			`properties:`
			`lastTransitionTime:`
			`description: lastTransitionTime is the last time the condition`
			`transitioned from one status to another. This should be when`
			`the underlying condition changed. If that is not known, then`
			`using the time when the API field changed is acceptable.`
			`format: date-time`
			`type: string`
			`message:`
			`description: message is a human readable message indicating`
			`details about the transition. This may be an empty string.`
			`maxLength: 32768`
			`type: string`
			`observedGeneration:`
			`description: observedGeneration represents the .metadata.generation`
			`that the condition was set based upon. For instance, if .metadata.generation`
			`is currently 12, but the .status.conditions[x].observedGeneration`
			`is 9, the condition is out of date with respect to the current`
			`state of the instance.`
			`format: int64`
			`minimum: 0`
			`type: integer`
			`reason:`
			`description: reason contains a programmatic identifier indicating`
			`the reason for the condition's last transition. Producers`
			`of specific condition types may define expected values and`
			`meanings for this field, and whether the values are considered`
			`a guaranteed API. The value should be a CamelCase string.`
			`This field may not be empty.`
			`maxLength: 1024`
			`minLength: 1`
			`pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
			`type: string`
			`status:`
			`description: status of the condition, one of True, False, Unknown.`
			`enum:`
			`- "True"`
			`- "False"`
			`- Unknown`
			`type: string`
			`type:`
			`description: type of condition in CamelCase or in foo.example.com/CamelCase.`
			`--- Many .condition.type values are consistent across resources`
			`like Available, but because arbitrary conditions can be useful`
			`(see .node.status.conditions), the ability to deconflict is`
			`important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)`
			`maxLength: 316`
			`pattern: ^([a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)/)?(([A-Za-z0-9][-A-Za-z0-9_.])?[A-Za-z0-9])$`
			`type: string`
			`required:`
			`- lastTransitionTime`
			`- message`
			`- reason`
			`- status`
			`- type`
			`type: object`
			`type: array`
			`x-kubernetes-list-map-keys:`
			`- type`
			`x-kubernetes-list-type: map`
			`phase:`
			`default: Pending`
OIDCClient watcher controller updates based on PR feedback 2022-07-06 17:34:24 +00:00			`description: phase summarizes the overall status of the OIDCClient.`
New controller watches OIDCClients and updates validation Conditions 2022-06-17 16:56:53 +00:00			`enum:`
			`- Pending`
			`- Ready`
			`- Error`
			`type: string`
OIDCClient watcher controller updates based on PR feedback 2022-07-06 17:34:24 +00:00			`totalClientSecrets:`
			`description: totalClientSecrets is the current number of client secrets`
			`that are detected for this OIDCClient.`
TotalClientSecrets field gets omitempty and becomes int32 2022-07-14 16:30:03 +00:00			`format: int32`
OIDCClient watcher controller updates based on PR feedback 2022-07-06 17:34:24 +00:00			`type: integer`
Add CRD for OIDCClient Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-03 23:22:15 +00:00			`type: object`
			`required:`
			`- spec`
			`type: object`
			`served: true`
			`storage: true`
			`subresources:`
			`status: {}`
			`status:`
			`acceptedNames:`
			`kind: ""`
			`plural: ""`
			`conditions: []`
			`storedVersions: []`