From 2bf5c8b48bf13e08b77323b5837647ba4d6ba341 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 2 Nov 2020 16:55:29 -0600 Subject: [PATCH] Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field. Signed-off-by: Matt Moyer --- .../v1alpha1/types_oidcprovider.go.tmpl | 45 +++--- deploy/supervisor/README.md | 14 +- ...supervisor.pinniped.dev_oidcproviders.yaml | 46 +++--- generated/1.17/README.adoc | 27 +++- .../config/v1alpha1/types_oidcprovider.go | 45 +++--- .../config/v1alpha1/zz_generated.deepcopy.go | 23 ++- .../openapi/zz_generated.openapi.go | 140 +++++++++-------- ...supervisor.pinniped.dev_oidcproviders.yaml | 46 +++--- generated/1.18/README.adoc | 27 +++- .../config/v1alpha1/types_oidcprovider.go | 45 +++--- .../config/v1alpha1/zz_generated.deepcopy.go | 23 ++- .../openapi/zz_generated.openapi.go | 140 +++++++++-------- ...supervisor.pinniped.dev_oidcproviders.yaml | 46 +++--- generated/1.19/README.adoc | 27 +++- .../config/v1alpha1/types_oidcprovider.go | 45 +++--- .../config/v1alpha1/zz_generated.deepcopy.go | 23 ++- .../openapi/zz_generated.openapi.go | 142 ++++++++++-------- ...supervisor.pinniped.dev_oidcproviders.yaml | 46 +++--- .../oidcproviderconfig_watcher.go | 4 +- .../oidcproviderconfig_watcher_test.go | 16 +- .../supervisorconfig/tls_cert_observer.go | 5 +- .../tls_cert_observer_test.go | 16 +- test/integration/supervisor_discovery_test.go | 40 ++--- test/library/client.go | 6 +- 24 files changed, 634 insertions(+), 403 deletions(-) diff --git a/apis/supervisor/config/v1alpha1/types_oidcprovider.go.tmpl b/apis/supervisor/config/v1alpha1/types_oidcprovider.go.tmpl index fa9b0e5b..fd05127e 100644 --- a/apis/supervisor/config/v1alpha1/types_oidcprovider.go.tmpl +++ b/apis/supervisor/config/v1alpha1/types_oidcprovider.go.tmpl @@ -18,6 +18,29 @@ const ( InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") ) +// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. +type OIDCProviderTLSSpec struct { + // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret + // named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + // for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + // SecretName value even if they have different port numbers. + // + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an + // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // use the default TLS certificate, which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. + // + // +optional + SecretName string `json:"secretName,omitempty"` +} + // OIDCProviderSpec is a struct that describes an OIDC Provider. type OIDCProviderSpec struct { // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the @@ -31,27 +54,9 @@ type OIDCProviderSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, - // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that - // contain the certificate and private key to use for TLS. - // - // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. - // - // SNICertificateSecretName is required if you would like to use different TLS certificates for - // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same - // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. - // - // SNICertificateSecretName is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you - // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, - // which is configured elsewhere. - // - // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work - // for IP addresses. - // + // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS). // +optional - SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` + TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` } // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/deploy/supervisor/README.md b/deploy/supervisor/README.md index 6df7852d..a3f214bb 100644 --- a/deploy/supervisor/README.md +++ b/deploy/supervisor/README.md @@ -146,9 +146,11 @@ spec: # The hostname would typically match the DNS name of the public ingress or load balancer for the cluster. # Any path can be specified, which allows a single hostname to have multiple different issuers. The path is optional. issuer: https://my-issuer.example.com/any/path + # Optionally configure the name of a Secret in the same namespace, of type `kubernetes.io/tls`, # which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - sniCertificateSecretName: my-tls-cert-secret + tls: + secretName: my-tls-cert-secret ``` #### Configuring TLS for the Supervisor OIDC Endpoints @@ -159,17 +161,17 @@ configure TLS certificates on the OIDCProvider. If you are using a LoadBalancer Service to expose the Supervisor app outside your cluster, then you will also need to configure the Supervisor app to terminate TLS. There are two places to configure TLS certificates: -1. Each `OIDCProvider` can be configured with TLS certificates, using the `sniCertificateSecretName` field. +1. Each `OIDCProvider` can be configured with TLS certificates, using the `spec.tls.secretName` field. 1. The default TLS certificate for all OIDC providers can be configured by creating a Secret called `pinniped-supervisor-default-tls-certificate` in the same namespace in which the Supervisor was installed. -The default TLS certificate will be used for all OIDC providers which did not declare an `sniCertificateSecretName`. -Also, the `sniCertificateSecretName` will be ignored for incoming requests to the OIDC endpoints +The default TLS certificate will be used for all OIDC providers which did not declare a `spec.tls.secretName`. +Also, the `spec.tls.secretName` will be ignored for incoming requests to the OIDC endpoints that use an IP address as the host, so those requests will always present the default TLS certificates to the client. When the request includes the hostname, and that hostname matches the hostname of an `Issuer`, -then the TLS certificate defined by the `sniCertificateSecretName` will be used. If that issuer did not -define `sniCertificateSecretName` then the default TLS certificate will be used. If neither exists, +then the TLS certificate defined by the `spec.tls.secretName` will be used. If that issuer did not +define `spec.tls.secretName` then the default TLS certificate will be used. If neither exists, then the client will get a TLS error because the server will not present any TLS certificate. It is recommended that you have a DNS entry for your load balancer or Ingress, and that you configure the diff --git a/deploy/supervisor/config.supervisor.pinniped.dev_oidcproviders.yaml b/deploy/supervisor/config.supervisor.pinniped.dev_oidcproviders.yaml index ce9b3240..9ffea8c7 100644 --- a/deploy/supervisor/config.supervisor.pinniped.dev_oidcproviders.yaml +++ b/deploy/supervisor/config.supervisor.pinniped.dev_oidcproviders.yaml @@ -47,26 +47,32 @@ spec: for more information." minLength: 1 type: string - sniCertificateSecretName: - description: "SNICertificateSecretName is an optional name of a Secret - in the same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by this - OIDC Provider. When provided, the TLS Secret named here must contain - keys named `tls.crt` and `tls.key` that contain the certificate - and private key to use for TLS. \n Server Name Indication (SNI) - is an extension to the Transport Layer Security (TLS) supported - by all major browsers. \n SNICertificateSecretName is required if - you would like to use different TLS certificates for issuers of - different hostnames. SNI requests do not include port numbers, so - all issuers with the same DNS hostname must use the same SNICertificateSecretName - value even if they have different port numbers. \n SNICertificateSecretName - is not required when you would like to use only the HTTP endpoints - (e.g. when terminating TLS at an Ingress). It is also not required - when you would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." - type: string + tls: + description: TLS configures how this OIDCProvider is served over Transport + Layer Security (TLS). + properties: + secretName: + description: "SecretName is an optional name of a Secret in the + same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by + this OIDCProvider. When provided, the TLS Secret named here + must contain keys named `tls.crt` and `tls.key` that contain + the certificate and private key to use for TLS. \n Server Name + Indication (SNI) is an extension to the Transport Layer Security + (TLS) supported by all major browsers. \n SecretName is required + if you would like to use different TLS certificates for issuers + of different hostnames. SNI requests do not include port numbers, + so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. \n + SecretName is not required when you would like to use only the + HTTP endpoints (e.g. when terminating TLS at an Ingress). It + is also not required when you would like all requests to this + OIDC Provider's HTTPS endpoints to use the default TLS certificate, + which is configured elsewhere. \n When your Issuer URL's host + is an IP address, then this field is ignored. SNI does not work + for IP addresses." + type: string + type: object required: - issuer type: object diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 7df2f5ba..c4ee09b2 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. -| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. - Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. - SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. - SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. - When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS). |=== @@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"] +==== OIDCProviderTLSSpec + +OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +|=== + + [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] === login.concierge.pinniped.dev/v1alpha1 diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go index fa9b0e5b..fd05127e 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go @@ -18,6 +18,29 @@ const ( InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") ) +// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. +type OIDCProviderTLSSpec struct { + // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret + // named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + // for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + // SecretName value even if they have different port numbers. + // + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an + // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // use the default TLS certificate, which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. + // + // +optional + SecretName string `json:"secretName,omitempty"` +} + // OIDCProviderSpec is a struct that describes an OIDC Provider. type OIDCProviderSpec struct { // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the @@ -31,27 +54,9 @@ type OIDCProviderSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, - // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that - // contain the certificate and private key to use for TLS. - // - // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. - // - // SNICertificateSecretName is required if you would like to use different TLS certificates for - // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same - // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. - // - // SNICertificateSecretName is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you - // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, - // which is configured elsewhere. - // - // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work - // for IP addresses. - // + // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS). // +optional - SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` + TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` } // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a195042d..f208d4d0 100644 --- a/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) in.Status.DeepCopyInto(&out.Status) return } @@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(OIDCProviderTLSSpec) + **out = **in + } return } @@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec. +func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec { + if in == nil { + return nil + } + out := new(OIDCProviderTLSSpec) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go b/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go index 0f1973b2..f67a95e8 100644 --- a/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go +++ b/generated/1.17/client/supervisor/openapi/zz_generated.openapi.go @@ -17,61 +17,62 @@ import ( func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition { return map[string]common.OpenAPIDefinition{ - "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref), - "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), - "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), - "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref), - "k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref), - "k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref), - "k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref), - "k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref), + "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref), + "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), + "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), + "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), + "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref), + "k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref), + "k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref), + "k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref), + "k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref), } } @@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc Format: "", }, }, - "sniCertificateSecretName": { + "tls": { SchemaProps: spec.SchemaProps{ - Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", - Type: []string{"string"}, - Format: "", + Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).", + Ref: ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"), }, }, }, Required: []string{"issuer"}, }, }, + Dependencies: []string{ + "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"}, } } @@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere } } +func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "secretName": { + SchemaProps: spec.SchemaProps{ + Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviders.yaml b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviders.yaml index ce9b3240..9ffea8c7 100644 --- a/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviders.yaml +++ b/generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviders.yaml @@ -47,26 +47,32 @@ spec: for more information." minLength: 1 type: string - sniCertificateSecretName: - description: "SNICertificateSecretName is an optional name of a Secret - in the same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by this - OIDC Provider. When provided, the TLS Secret named here must contain - keys named `tls.crt` and `tls.key` that contain the certificate - and private key to use for TLS. \n Server Name Indication (SNI) - is an extension to the Transport Layer Security (TLS) supported - by all major browsers. \n SNICertificateSecretName is required if - you would like to use different TLS certificates for issuers of - different hostnames. SNI requests do not include port numbers, so - all issuers with the same DNS hostname must use the same SNICertificateSecretName - value even if they have different port numbers. \n SNICertificateSecretName - is not required when you would like to use only the HTTP endpoints - (e.g. when terminating TLS at an Ingress). It is also not required - when you would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." - type: string + tls: + description: TLS configures how this OIDCProvider is served over Transport + Layer Security (TLS). + properties: + secretName: + description: "SecretName is an optional name of a Secret in the + same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by + this OIDCProvider. When provided, the TLS Secret named here + must contain keys named `tls.crt` and `tls.key` that contain + the certificate and private key to use for TLS. \n Server Name + Indication (SNI) is an extension to the Transport Layer Security + (TLS) supported by all major browsers. \n SecretName is required + if you would like to use different TLS certificates for issuers + of different hostnames. SNI requests do not include port numbers, + so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. \n + SecretName is not required when you would like to use only the + HTTP endpoints (e.g. when terminating TLS at an Ingress). It + is also not required when you would like all requests to this + OIDC Provider's HTTPS endpoints to use the default TLS certificate, + which is configured elsewhere. \n When your Issuer URL's host + is an IP address, then this field is ignored. SNI does not work + for IP addresses." + type: string + type: object required: - issuer type: object diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 0694d9e4..d9fd0d50 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. -| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. - Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. - SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. - SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. - When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS). |=== @@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"] +==== OIDCProviderTLSSpec + +OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +|=== + + [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] === login.concierge.pinniped.dev/v1alpha1 diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcprovider.go b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcprovider.go index fa9b0e5b..fd05127e 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcprovider.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/types_oidcprovider.go @@ -18,6 +18,29 @@ const ( InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") ) +// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. +type OIDCProviderTLSSpec struct { + // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret + // named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + // for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + // SecretName value even if they have different port numbers. + // + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an + // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // use the default TLS certificate, which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. + // + // +optional + SecretName string `json:"secretName,omitempty"` +} + // OIDCProviderSpec is a struct that describes an OIDC Provider. type OIDCProviderSpec struct { // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the @@ -31,27 +54,9 @@ type OIDCProviderSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, - // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that - // contain the certificate and private key to use for TLS. - // - // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. - // - // SNICertificateSecretName is required if you would like to use different TLS certificates for - // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same - // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. - // - // SNICertificateSecretName is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you - // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, - // which is configured elsewhere. - // - // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work - // for IP addresses. - // + // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS). // +optional - SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` + TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` } // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a195042d..f208d4d0 100644 --- a/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) in.Status.DeepCopyInto(&out.Status) return } @@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(OIDCProviderTLSSpec) + **out = **in + } return } @@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec. +func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec { + if in == nil { + return nil + } + out := new(OIDCProviderTLSSpec) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go b/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go index 3d41d577..9c840d1d 100644 --- a/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go +++ b/generated/1.18/client/supervisor/openapi/zz_generated.openapi.go @@ -17,61 +17,62 @@ import ( func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition { return map[string]common.OpenAPIDefinition{ - "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref), - "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), - "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), - "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref), - "k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref), - "k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref), - "k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref), - "k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref), + "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref), + "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), + "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), + "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), + "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref), + "k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref), + "k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref), + "k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref), + "k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref), } } @@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc Format: "", }, }, - "sniCertificateSecretName": { + "tls": { SchemaProps: spec.SchemaProps{ - Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", - Type: []string{"string"}, - Format: "", + Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).", + Ref: ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"), }, }, }, Required: []string{"issuer"}, }, }, + Dependencies: []string{ + "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"}, } } @@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere } } +func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "secretName": { + SchemaProps: spec.SchemaProps{ + Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviders.yaml b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviders.yaml index ce9b3240..9ffea8c7 100644 --- a/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviders.yaml +++ b/generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviders.yaml @@ -47,26 +47,32 @@ spec: for more information." minLength: 1 type: string - sniCertificateSecretName: - description: "SNICertificateSecretName is an optional name of a Secret - in the same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by this - OIDC Provider. When provided, the TLS Secret named here must contain - keys named `tls.crt` and `tls.key` that contain the certificate - and private key to use for TLS. \n Server Name Indication (SNI) - is an extension to the Transport Layer Security (TLS) supported - by all major browsers. \n SNICertificateSecretName is required if - you would like to use different TLS certificates for issuers of - different hostnames. SNI requests do not include port numbers, so - all issuers with the same DNS hostname must use the same SNICertificateSecretName - value even if they have different port numbers. \n SNICertificateSecretName - is not required when you would like to use only the HTTP endpoints - (e.g. when terminating TLS at an Ingress). It is also not required - when you would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." - type: string + tls: + description: TLS configures how this OIDCProvider is served over Transport + Layer Security (TLS). + properties: + secretName: + description: "SecretName is an optional name of a Secret in the + same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by + this OIDCProvider. When provided, the TLS Secret named here + must contain keys named `tls.crt` and `tls.key` that contain + the certificate and private key to use for TLS. \n Server Name + Indication (SNI) is an extension to the Transport Layer Security + (TLS) supported by all major browsers. \n SecretName is required + if you would like to use different TLS certificates for issuers + of different hostnames. SNI requests do not include port numbers, + so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. \n + SecretName is not required when you would like to use only the + HTTP endpoints (e.g. when terminating TLS at an Ingress). It + is also not required when you would like all requests to this + OIDC Provider's HTTPS endpoints to use the default TLS certificate, + which is configured elsewhere. \n When your Issuer URL's host + is an IP address, then this field is ignored. SNI does not work + for IP addresses." + type: string + type: object required: - issuer type: object diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 278b4711..92a2e83f 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider. | Field | Description | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. -| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. - Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. - SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. - SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. - When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS). |=== @@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"] +==== OIDCProviderTLSSpec + +OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. + Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers. + SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere. + When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. +|=== + + [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] === login.concierge.pinniped.dev/v1alpha1 diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcprovider.go b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcprovider.go index fa9b0e5b..fd05127e 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcprovider.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/types_oidcprovider.go @@ -18,6 +18,29 @@ const ( InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") ) +// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider. +type OIDCProviderTLSSpec struct { + // SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret + // named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use + // for TLS. + // + // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. + // + // SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. + // SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same + // SecretName value even if they have different port numbers. + // + // SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an + // Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to + // use the default TLS certificate, which is configured elsewhere. + // + // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses. + // + // +optional + SecretName string `json:"secretName,omitempty"` +} + // OIDCProviderSpec is a struct that describes an OIDC Provider. type OIDCProviderSpec struct { // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the @@ -31,27 +54,9 @@ type OIDCProviderSpec struct { // +kubebuilder:validation:MinLength=1 Issuer string `json:"issuer"` - // SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, - // which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. - // When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that - // contain the certificate and private key to use for TLS. - // - // Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers. - // - // SNICertificateSecretName is required if you would like to use different TLS certificates for - // issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same - // DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers. - // - // SNICertificateSecretName is not required when you would like to use only the - // HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you - // would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, - // which is configured elsewhere. - // - // When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work - // for IP addresses. - // + // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS). // +optional - SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` + TLS *OIDCProviderTLSSpec `json:"tls,omitempty"` } // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. diff --git a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go index a195042d..f208d4d0 100644 --- a/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go @@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) in.Status.DeepCopyInto(&out.Status) return } @@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(OIDCProviderTLSSpec) + **out = **in + } return } @@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec. +func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec { + if in == nil { + return nil + } + out := new(OIDCProviderTLSSpec) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/client/supervisor/openapi/zz_generated.openapi.go b/generated/1.19/client/supervisor/openapi/zz_generated.openapi.go index ab5a1e2c..d84b594d 100644 --- a/generated/1.19/client/supervisor/openapi/zz_generated.openapi.go +++ b/generated/1.19/client/supervisor/openapi/zz_generated.openapi.go @@ -17,62 +17,63 @@ import ( func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition { return map[string]common.OpenAPIDefinition{ - "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref), - "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), - "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), - "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Condition": schema_pkg_apis_meta_v1_Condition(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref), - "k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref), - "k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref), - "k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref), - "k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref), - "k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref), + "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref), + "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), + "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), + "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), + "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Condition": schema_pkg_apis_meta_v1_Condition(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref), + "k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref), + "k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref), + "k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref), + "k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref), + "k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref), } } @@ -184,17 +185,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc Format: "", }, }, - "sniCertificateSecretName": { + "tls": { SchemaProps: spec.SchemaProps{ - Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", - Type: []string{"string"}, - Format: "", + Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).", + Ref: ref("go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"), }, }, }, Required: []string{"issuer"}, }, }, + Dependencies: []string{ + "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"}, } } @@ -239,6 +241,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere } } +func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "secretName": { + SchemaProps: spec.SchemaProps{ + Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviders.yaml b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviders.yaml index ce9b3240..9ffea8c7 100644 --- a/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviders.yaml +++ b/generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviders.yaml @@ -47,26 +47,32 @@ spec: for more information." minLength: 1 type: string - sniCertificateSecretName: - description: "SNICertificateSecretName is an optional name of a Secret - in the same namespace, of type `kubernetes.io/tls`, which contains - the TLS serving certificate for the HTTPS endpoints served by this - OIDC Provider. When provided, the TLS Secret named here must contain - keys named `tls.crt` and `tls.key` that contain the certificate - and private key to use for TLS. \n Server Name Indication (SNI) - is an extension to the Transport Layer Security (TLS) supported - by all major browsers. \n SNICertificateSecretName is required if - you would like to use different TLS certificates for issuers of - different hostnames. SNI requests do not include port numbers, so - all issuers with the same DNS hostname must use the same SNICertificateSecretName - value even if they have different port numbers. \n SNICertificateSecretName - is not required when you would like to use only the HTTP endpoints - (e.g. when terminating TLS at an Ingress). It is also not required - when you would like all requests to this OIDC Provider's HTTPS endpoints - to use the default TLS certificate, which is configured elsewhere. - \n When your Issuer URL's host is an IP address, then this field - is ignored. SNI does not work for IP addresses." - type: string + tls: + description: TLS configures how this OIDCProvider is served over Transport + Layer Security (TLS). + properties: + secretName: + description: "SecretName is an optional name of a Secret in the + same namespace, of type `kubernetes.io/tls`, which contains + the TLS serving certificate for the HTTPS endpoints served by + this OIDCProvider. When provided, the TLS Secret named here + must contain keys named `tls.crt` and `tls.key` that contain + the certificate and private key to use for TLS. \n Server Name + Indication (SNI) is an extension to the Transport Layer Security + (TLS) supported by all major browsers. \n SecretName is required + if you would like to use different TLS certificates for issuers + of different hostnames. SNI requests do not include port numbers, + so all issuers with the same DNS hostname must use the same + SecretName value even if they have different port numbers. \n + SecretName is not required when you would like to use only the + HTTP endpoints (e.g. when terminating TLS at an Ingress). It + is also not required when you would like all requests to this + OIDC Provider's HTTPS endpoints to use the default TLS certificate, + which is configured elsewhere. \n When your Issuer URL's host + is an IP address, then this field is ignored. SNI does not work + for IP addresses." + type: string + type: object required: - issuer type: object diff --git a/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go b/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go index ec780480..99b55894 100644 --- a/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go +++ b/internal/controller/supervisorconfig/oidcproviderconfig_watcher.go @@ -102,7 +102,9 @@ func (c *oidcProviderWatcherController) Sync(ctx controllerlib.Context) error { setOfSecretNames = make(map[string]bool) uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames } - setOfSecretNames[opc.Spec.SNICertificateSecretName] = true + if opc.Spec.TLS != nil { + setOfSecretNames[opc.Spec.TLS.SecretName] = true + } } errs := multierror.New() diff --git a/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go b/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go index 7d447090..91270999 100644 --- a/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go +++ b/internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go @@ -819,8 +819,8 @@ func TestSync(t *testing.T) { oidcProviderSameIssuerAddress1 = &v1alpha1.OIDCProvider{ ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace}, Spec: v1alpha1.OIDCProviderSpec{ - Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1", - SNICertificateSecretName: "secret1", + Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1", + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"}, }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress1)) @@ -830,8 +830,8 @@ func TestSync(t *testing.T) { Spec: v1alpha1.OIDCProviderSpec{ // Validation treats these as the same DNS hostname even though they have different port numbers, // because SNI information on the incoming requests is not going to include port numbers. - Issuer: "https://issuer-duplicate-address.com:1234/path2", - SNICertificateSecretName: "secret2", + Issuer: "https://issuer-duplicate-address.com:1234/path2", + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret2"}, }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress2)) @@ -840,8 +840,8 @@ func TestSync(t *testing.T) { oidcProviderDifferentIssuerAddress = &v1alpha1.OIDCProvider{ ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace}, Spec: v1alpha1.OIDCProviderSpec{ - Issuer: "https://issuer-not-duplicate.com", - SNICertificateSecretName: "secret1", + Issuer: "https://issuer-not-duplicate.com", + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"}, }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderDifferentIssuerAddress)) @@ -855,8 +855,8 @@ func TestSync(t *testing.T) { oidcProviderWithInvalidIssuerURL = &v1alpha1.OIDCProvider{ ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace}, Spec: v1alpha1.OIDCProviderSpec{ - Issuer: invalidIssuerURL, - SNICertificateSecretName: "secret1", + Issuer: invalidIssuerURL, + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"}, }, } r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderWithInvalidIssuerURL)) diff --git a/internal/controller/supervisorconfig/tls_cert_observer.go b/internal/controller/supervisorconfig/tls_cert_observer.go index 9dfc7631..7b604f57 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer.go +++ b/internal/controller/supervisorconfig/tls_cert_observer.go @@ -72,7 +72,10 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error { issuerHostToTLSCertMap := map[string]*tls.Certificate{} for _, provider := range allProviders { - secretName := provider.Spec.SNICertificateSecretName + secretName := "" + if provider.Spec.TLS != nil { + secretName = provider.Spec.TLS.SecretName + } issuerURL, err := url.Parse(provider.Spec.Issuer) if err != nil { klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer) diff --git a/internal/controller/supervisorconfig/tls_cert_observer_test.go b/internal/controller/supervisorconfig/tls_cert_observer_test.go index 7f3ca7ce..7950af29 100644 --- a/internal/controller/supervisorconfig/tls_cert_observer_test.go +++ b/internal/controller/supervisorconfig/tls_cert_observer_test.go @@ -225,8 +225,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) { Namespace: installedInNamespace, }, Spec: v1alpha1.OIDCProviderSpec{ - Issuer: "https://no-secret-issuer2.com", - SNICertificateSecretName: "", + Issuer: "https://no-secret-issuer2.com", + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: ""}, }, } oidcProviderWithBadSecret := &v1alpha1.OIDCProvider{ @@ -235,8 +235,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) { Namespace: installedInNamespace, }, Spec: v1alpha1.OIDCProviderSpec{ - Issuer: "https://bad-secret-issuer.com", - SNICertificateSecretName: "bad-tls-secret-name", + Issuer: "https://bad-secret-issuer.com", + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "bad-tls-secret-name"}, }, } // Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs. @@ -257,8 +257,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) { }, // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number. Spec: v1alpha1.OIDCProviderSpec{ - Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", - SNICertificateSecretName: "good-tls-secret-name1", + Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name1"}, }, } oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{ @@ -268,8 +268,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) { }, // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number. Spec: v1alpha1.OIDCProviderSpec{ - Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", - SNICertificateSecretName: "good-tls-secret-name2", + Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", + TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name2"}, }, } testCrt1 := readTestFile("testdata/test.crt") diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 5da1b7fe..32c4c004 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -159,26 +159,26 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) { hostname1 := strings.Split(address, ":")[0] issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address) - sniCertificateSecretName1 := "integration-test-sni-cert-1" + certSecretName1 := "integration-test-cert-1" - // Create an OIDCProvider with an sniCertificateSecretName. - oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, sniCertificateSecretName1) + // Create an OIDCProvider with a spec.tls.secretName. + oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, certSecretName1) requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition) - // The sniCertificateSecretName Secret does not exist, so the endpoints should fail with TLS errors. + // The spec.tls.secretName Secret does not exist, so the endpoints should fail with TLS errors. requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1) // Create the Secret. - ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1, kubeClient) + ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1, kubeClient) // Now that the Secret exists, we should be able to access the endpoints by hostname using the CA. _ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil) - // Update the config to take away the sniCertificateSecretName. - sniCertificateSecretName1update := "integration-test-sni-cert-1-update" + // Update the config to with a new .spec.tls.secretName. + certSecretName1update := "integration-test-cert-1-update" oidcProvider1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Get(ctx, oidcProvider1.Name, metav1.GetOptions{}) require.NoError(t, err) - oidcProvider1LatestVersion.Spec.SNICertificateSecretName = sniCertificateSecretName1update + oidcProvider1LatestVersion.Spec.TLS = &v1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName1update} _, err = pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Update(ctx, oidcProvider1LatestVersion, metav1.UpdateOptions{}) require.NoError(t, err) @@ -186,7 +186,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) { requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1) // Create a Secret at the updated name. - ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1update, kubeClient) + ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1update, kubeClient) // Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA. _ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil) @@ -195,14 +195,14 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) { hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com" hostnamePort2 := "2684" issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2) - sniCertificateSecretName2 := "integration-test-sni-cert-2" + certSecretName2 := "integration-test-cert-2" - // Create an OIDCProvider with an sniCertificateSecretName. - oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, sniCertificateSecretName2) + // Create an OIDCProvider with a spec.tls.secretName. + oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, certSecretName2) requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition) // Create the Secret. - ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, sniCertificateSecretName2, kubeClient) + ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, certSecretName2, kubeClient) // Now that the Secret exists, we should be able to access the endpoints by hostname using the CA. _ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{ @@ -240,11 +240,11 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) { issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort) issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address) - // Create an OIDCProvider without an sniCertificateSecretName. + // Create an OIDCProvider without a spec.tls.secretName. oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "") requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition) - // There is no default TLS cert and the sniCertificateSecretName was not set, so the endpoints should fail with TLS errors. + // There is no default TLS cert and the spec.tls.secretName was not set, so the endpoints should fail with TLS errors. requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress) // Create a Secret at the special name which represents the default TLS cert. @@ -253,18 +253,18 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) { // Now that the Secret exists, we should be able to access the endpoints by IP address using the CA. _ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil) - // Create an OIDCProvider with an sniCertificateSecretName. - sniCertificateSecretName := "integration-test-sni-cert-1" - oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, sniCertificateSecretName) + // Create an OIDCProvider with a spec.tls.secretName. + certSecretName := "integration-test-cert-1" + oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, certSecretName) requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition) // Create the Secret. - sniCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, sniCertificateSecretName, kubeClient) + certCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, certSecretName, kubeClient) // Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert. // Hostnames are case-insensitive, so the request should still work even if the case of the hostname is different // from the case of the issuer URL's hostname. - _ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(sniCA.Bundle()), issuerUsingHostname, nil) + _ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(certCA.Bundle()), issuerUsingHostname, nil) // And we can still access the other issuer using the default cert. _ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil) diff --git a/test/library/client.go b/test/library/client.go index f880662f..f5aba3a6 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -172,7 +172,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty // // If the provided issuer is not the empty string, then it will be used for the // OIDCProvider.Spec.Issuer field. Else, a random issuer will be generated. -func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertificateSecretName string) *configv1alpha1.OIDCProvider { +func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, certSecretName string) *configv1alpha1.OIDCProvider { t.Helper() testEnv := IntegrationEnv(t) @@ -193,8 +193,8 @@ func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertif Annotations: map[string]string{"pinniped.dev/testName": t.Name()}, }, Spec: configv1alpha1.OIDCProviderSpec{ - Issuer: issuer, - SNICertificateSecretName: sniCertificateSecretName, + Issuer: issuer, + TLS: &configv1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName}, }, }, metav1.CreateOptions{}) require.NoError(t, err, "could not create test OIDCProvider")