djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field.

Browse Source 
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2020-11-02 16:55:29 -06:00
parent 2b8773aa54
commit 2bf5c8b48b
No known key found for this signature in database
GPG Key ID: EAE88AD172C5AE2D
24 changed files with 634 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
apis/supervisor/config/v1alpha1/types_oidcprovider.go.tmpl
View File

@ -18,6 +18,29 @@ const (
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
) )
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
type OIDCProviderTLSSpec struct {
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
// for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
// SecretName value even if they have different port numbers.
//
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// use the default TLS certificate, which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
}
// OIDCProviderSpec is a struct that describes an OIDC Provider. // OIDCProviderSpec is a struct that describes an OIDC Provider.
type OIDCProviderSpec struct { type OIDCProviderSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.

14
deploy/supervisor/README.md
View File

@ -146,9 +146,11 @@ spec:
# The hostname would typically match the DNS name of the public ingress or load balancer for the cluster. # The hostname would typically match the DNS name of the public ingress or load balancer for the cluster.
# Any path can be specified, which allows a single hostname to have multiple different issuers. The path is optional. # Any path can be specified, which allows a single hostname to have multiple different issuers. The path is optional.
issuer: https://my-issuer.example.com/any/path issuer: https://my-issuer.example.com/any/path
# Optionally configure the name of a Secret in the same namespace, of type `kubernetes.io/tls`, # Optionally configure the name of a Secret in the same namespace, of type `kubernetes.io/tls`,
# which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. # which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
sniCertificateSecretName: my-tls-cert-secret tls:
secretName: my-tls-cert-secret
``` ```
#### Configuring TLS for the Supervisor OIDC Endpoints #### Configuring TLS for the Supervisor OIDC Endpoints
@ -159,17 +161,17 @@ configure TLS certificates on the OIDCProvider.
If you are using a LoadBalancer Service to expose the Supervisor app outside your cluster, then you will If you are using a LoadBalancer Service to expose the Supervisor app outside your cluster, then you will
also need to configure the Supervisor app to terminate TLS. There are two places to configure TLS certificates: also need to configure the Supervisor app to terminate TLS. There are two places to configure TLS certificates:
1. Each `OIDCProvider` can be configured with TLS certificates, using the `sniCertificateSecretName` field. 1. Each `OIDCProvider` can be configured with TLS certificates, using the `spec.tls.secretName` field.
1. The default TLS certificate for all OIDC providers can be configured by creating a Secret called 1. The default TLS certificate for all OIDC providers can be configured by creating a Secret called
`pinniped-supervisor-default-tls-certificate` in the same namespace in which the Supervisor was installed. `pinniped-supervisor-default-tls-certificate` in the same namespace in which the Supervisor was installed.
The default TLS certificate will be used for all OIDC providers which did not declare an `sniCertificateSecretName`. The default TLS certificate will be used for all OIDC providers which did not declare a `spec.tls.secretName`.
Also, the `sniCertificateSecretName` will be ignored for incoming requests to the OIDC endpoints Also, the `spec.tls.secretName` will be ignored for incoming requests to the OIDC endpoints
that use an IP address as the host, so those requests will always present the default TLS certificates that use an IP address as the host, so those requests will always present the default TLS certificates
to the client. When the request includes the hostname, and that hostname matches the hostname of an `Issuer`, to the client. When the request includes the hostname, and that hostname matches the hostname of an `Issuer`,
then the TLS certificate defined by the `sniCertificateSecretName` will be used. If that issuer did not then the TLS certificate defined by the `spec.tls.secretName` will be used. If that issuer did not
define `sniCertificateSecretName` then the default TLS certificate will be used. If neither exists, define `spec.tls.secretName` then the default TLS certificate will be used. If neither exists,
then the client will get a TLS error because the server will not present any TLS certificate. then the client will get a TLS error because the server will not present any TLS certificate.
It is recommended that you have a DNS entry for your load balancer or Ingress, and that you configure the It is recommended that you have a DNS entry for your load balancer or Ingress, and that you configure the

44
deploy/supervisor/config.supervisor.pinniped.dev_oidcproviders.yaml
View File

@ -47,26 +47,32 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
sniCertificateSecretName: tls:
description: "SNICertificateSecretName is an optional name of a Secret description: TLS configures how this OIDCProvider is served over Transport
in the same namespace, of type `kubernetes.io/tls`, which contains Layer Security (TLS).
the TLS serving certificate for the HTTPS endpoints served by this properties:
OIDC Provider. When provided, the TLS Secret named here must contain secretName:
keys named `tls.crt` and `tls.key` that contain the certificate description: "SecretName is an optional name of a Secret in the
and private key to use for TLS. \n Server Name Indication (SNI) same namespace, of type `kubernetes.io/tls`, which contains
is an extension to the Transport Layer Security (TLS) supported the TLS serving certificate for the HTTPS endpoints served by
by all major browsers. \n SNICertificateSecretName is required if this OIDCProvider. When provided, the TLS Secret named here
you would like to use different TLS certificates for issuers of must contain keys named `tls.crt` and `tls.key` that contain
different hostnames. SNI requests do not include port numbers, so the certificate and private key to use for TLS. \n Server Name
all issuers with the same DNS hostname must use the same SNICertificateSecretName Indication (SNI) is an extension to the Transport Layer Security
value even if they have different port numbers. \n SNICertificateSecretName (TLS) supported by all major browsers. \n SecretName is required
is not required when you would like to use only the HTTP endpoints if you would like to use different TLS certificates for issuers
(e.g. when terminating TLS at an Ingress). It is also not required of different hostnames. SNI requests do not include port numbers,
when you would like all requests to this OIDC Provider's HTTPS endpoints so all issuers with the same DNS hostname must use the same
to use the default TLS certificate, which is configured elsewhere. SecretName value even if they have different port numbers. \n
\n When your Issuer URL's host is an IP address, then this field SecretName is not required when you would like to use only the
is ignored. SNI does not work for IP addresses." HTTP endpoints (e.g. when terminating TLS at an Ingress). It
is also not required when you would like all requests to this
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
which is configured elsewhere. \n When your Issuer URL's host
is an IP address, then this field is ignored. SNI does not work
for IP addresses."
type: string type: string
type: object
required: required:
- issuer - issuer
type: object type: object

27
generated/1.17/README.adoc generated
View File

@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|=== |===
@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
==== OIDCProviderTLSSpec
OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.
SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|===
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
=== login.concierge.pinniped.dev/v1alpha1 === login.concierge.pinniped.dev/v1alpha1

45
generated/1.17/apis/supervisor/config/v1alpha1/types_oidcprovider.go generated
View File

@ -18,6 +18,29 @@ const (
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
) )
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
type OIDCProviderTLSSpec struct {
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
// for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
// SecretName value even if they have different port numbers.
//
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// use the default TLS certificate, which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
}
// OIDCProviderSpec is a struct that describes an OIDC Provider. // OIDCProviderSpec is a struct that describes an OIDC Provider.
type OIDCProviderSpec struct { type OIDCProviderSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.

23
generated/1.17/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go generated
View File

@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status) in.Status.DeepCopyInto(&out.Status)
return return
} }
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(OIDCProviderTLSSpec)
**out = **in
}
return return
} }
@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
in.DeepCopyInto(out) in.DeepCopyInto(out)
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
if in == nil {
return nil
}
out := new(OIDCProviderTLSSpec)
in.DeepCopyInto(out)
return out
}

30
generated/1.17/client/supervisor/openapi/zz_generated.openapi.go generated
View File

@ -21,6 +21,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
Format: "", Format: "",
}, },
}, },
"sniCertificateSecretName": { "tls": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
Type: []string{"string"}, Ref: ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
Format: "",
}, },
}, },
}, },
Required: []string{"issuer"}, Required: []string{"issuer"},
}, },
}, },
Dependencies: []string{
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
} }
} }
@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
} }
} }
func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"secretName": {
SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"},
Format: "",
},
},
},
},
},
}
}
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition { func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{ return common.OpenAPIDefinition{
Schema: spec.Schema{ Schema: spec.Schema{

44
generated/1.17/crds/config.supervisor.pinniped.dev_oidcproviders.yaml generated
View File

@ -47,26 +47,32 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
sniCertificateSecretName: tls:
description: "SNICertificateSecretName is an optional name of a Secret description: TLS configures how this OIDCProvider is served over Transport
in the same namespace, of type `kubernetes.io/tls`, which contains Layer Security (TLS).
the TLS serving certificate for the HTTPS endpoints served by this properties:
OIDC Provider. When provided, the TLS Secret named here must contain secretName:
keys named `tls.crt` and `tls.key` that contain the certificate description: "SecretName is an optional name of a Secret in the
and private key to use for TLS. \n Server Name Indication (SNI) same namespace, of type `kubernetes.io/tls`, which contains
is an extension to the Transport Layer Security (TLS) supported the TLS serving certificate for the HTTPS endpoints served by
by all major browsers. \n SNICertificateSecretName is required if this OIDCProvider. When provided, the TLS Secret named here
you would like to use different TLS certificates for issuers of must contain keys named `tls.crt` and `tls.key` that contain
different hostnames. SNI requests do not include port numbers, so the certificate and private key to use for TLS. \n Server Name
all issuers with the same DNS hostname must use the same SNICertificateSecretName Indication (SNI) is an extension to the Transport Layer Security
value even if they have different port numbers. \n SNICertificateSecretName (TLS) supported by all major browsers. \n SecretName is required
is not required when you would like to use only the HTTP endpoints if you would like to use different TLS certificates for issuers
(e.g. when terminating TLS at an Ingress). It is also not required of different hostnames. SNI requests do not include port numbers,
when you would like all requests to this OIDC Provider's HTTPS endpoints so all issuers with the same DNS hostname must use the same
to use the default TLS certificate, which is configured elsewhere. SecretName value even if they have different port numbers. \n
\n When your Issuer URL's host is an IP address, then this field SecretName is not required when you would like to use only the
is ignored. SNI does not work for IP addresses." HTTP endpoints (e.g. when terminating TLS at an Ingress). It
is also not required when you would like all requests to this
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
which is configured elsewhere. \n When your Issuer URL's host
is an IP address, then this field is ignored. SNI does not work
for IP addresses."
type: string type: string
type: object
required: required:
- issuer - issuer
type: object type: object

27
generated/1.18/README.adoc generated
View File

@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|=== |===
@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
==== OIDCProviderTLSSpec
OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.
SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|===
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
=== login.concierge.pinniped.dev/v1alpha1 === login.concierge.pinniped.dev/v1alpha1

45
generated/1.18/apis/supervisor/config/v1alpha1/types_oidcprovider.go generated
View File

@ -18,6 +18,29 @@ const (
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
) )
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
type OIDCProviderTLSSpec struct {
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
// for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
// SecretName value even if they have different port numbers.
//
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// use the default TLS certificate, which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
}
// OIDCProviderSpec is a struct that describes an OIDC Provider. // OIDCProviderSpec is a struct that describes an OIDC Provider.
type OIDCProviderSpec struct { type OIDCProviderSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.

23
generated/1.18/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go generated
View File

@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status) in.Status.DeepCopyInto(&out.Status)
return return
} }
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(OIDCProviderTLSSpec)
**out = **in
}
return return
} }
@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
in.DeepCopyInto(out) in.DeepCopyInto(out)
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
if in == nil {
return nil
}
out := new(OIDCProviderTLSSpec)
in.DeepCopyInto(out)
return out
}

30
generated/1.18/client/supervisor/openapi/zz_generated.openapi.go generated
View File

@ -21,6 +21,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
Format: "", Format: "",
}, },
}, },
"sniCertificateSecretName": { "tls": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
Type: []string{"string"}, Ref: ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
Format: "",
}, },
}, },
}, },
Required: []string{"issuer"}, Required: []string{"issuer"},
}, },
}, },
Dependencies: []string{
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
} }
} }
@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
} }
} }
func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"secretName": {
SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"},
Format: "",
},
},
},
},
},
}
}
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition { func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{ return common.OpenAPIDefinition{
Schema: spec.Schema{ Schema: spec.Schema{

44
generated/1.18/crds/config.supervisor.pinniped.dev_oidcproviders.yaml generated
View File

@ -47,26 +47,32 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
sniCertificateSecretName: tls:
description: "SNICertificateSecretName is an optional name of a Secret description: TLS configures how this OIDCProvider is served over Transport
in the same namespace, of type `kubernetes.io/tls`, which contains Layer Security (TLS).
the TLS serving certificate for the HTTPS endpoints served by this properties:
OIDC Provider. When provided, the TLS Secret named here must contain secretName:
keys named `tls.crt` and `tls.key` that contain the certificate description: "SecretName is an optional name of a Secret in the
and private key to use for TLS. \n Server Name Indication (SNI) same namespace, of type `kubernetes.io/tls`, which contains
is an extension to the Transport Layer Security (TLS) supported the TLS serving certificate for the HTTPS endpoints served by
by all major browsers. \n SNICertificateSecretName is required if this OIDCProvider. When provided, the TLS Secret named here
you would like to use different TLS certificates for issuers of must contain keys named `tls.crt` and `tls.key` that contain
different hostnames. SNI requests do not include port numbers, so the certificate and private key to use for TLS. \n Server Name
all issuers with the same DNS hostname must use the same SNICertificateSecretName Indication (SNI) is an extension to the Transport Layer Security
value even if they have different port numbers. \n SNICertificateSecretName (TLS) supported by all major browsers. \n SecretName is required
is not required when you would like to use only the HTTP endpoints if you would like to use different TLS certificates for issuers
(e.g. when terminating TLS at an Ingress). It is also not required of different hostnames. SNI requests do not include port numbers,
when you would like all requests to this OIDC Provider's HTTPS endpoints so all issuers with the same DNS hostname must use the same
to use the default TLS certificate, which is configured elsewhere. SecretName value even if they have different port numbers. \n
\n When your Issuer URL's host is an IP address, then this field SecretName is not required when you would like to use only the
is ignored. SNI does not work for IP addresses." HTTP endpoints (e.g. when terminating TLS at an Ingress). It
is also not required when you would like all requests to this
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
which is configured elsewhere. \n When your Issuer URL's host
is an IP address, then this field is ignored. SNI does not work
for IP addresses."
type: string type: string
type: object
required: required:
- issuer - issuer
type: object type: object

27
generated/1.19/README.adoc generated
View File

@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
| Field | Description | Field | Description
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint). | *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information. See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS. | *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|=== |===
@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
|=== |===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
==== OIDCProviderTLSSpec
OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.
SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|===
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
=== login.concierge.pinniped.dev/v1alpha1 === login.concierge.pinniped.dev/v1alpha1

45
generated/1.19/apis/supervisor/config/v1alpha1/types_oidcprovider.go generated
View File

@ -18,6 +18,29 @@ const (
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid") InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
) )
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
type OIDCProviderTLSSpec struct {
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
// for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
// SecretName value even if they have different port numbers.
//
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
// use the default TLS certificate, which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
//
// +optional
SecretName string `json:"secretName,omitempty"`
}
// OIDCProviderSpec is a struct that describes an OIDC Provider. // OIDCProviderSpec is a struct that describes an OIDC Provider.
type OIDCProviderSpec struct { type OIDCProviderSpec struct {
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the // Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
// +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, // TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
// contain the certificate and private key to use for TLS.
//
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
//
// SNICertificateSecretName is required if you would like to use different TLS certificates for
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
//
// SNICertificateSecretName is not required when you would like to use only the
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
// which is configured elsewhere.
//
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
// for IP addresses.
//
// +optional // +optional
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"` TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
} }
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider. // OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.

23
generated/1.19/apis/supervisor/config/v1alpha1/zz_generated.deepcopy.go generated
View File

@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status) in.Status.DeepCopyInto(&out.Status)
return return
} }
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) { func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
*out = *in *out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(OIDCProviderTLSSpec)
**out = **in
}
return return
} }
@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
in.DeepCopyInto(out) in.DeepCopyInto(out)
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
if in == nil {
return nil
}
out := new(OIDCProviderTLSSpec)
in.DeepCopyInto(out)
return out
}

30
generated/1.19/client/supervisor/openapi/zz_generated.openapi.go generated
View File

@ -21,6 +21,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref), "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref), "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref), "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref), "k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
@ -184,17 +185,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
Format: "", Format: "",
}, },
}, },
"sniCertificateSecretName": { "tls": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.", Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
Type: []string{"string"}, Ref: ref("go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
Format: "",
}, },
}, },
}, },
Required: []string{"issuer"}, Required: []string{"issuer"},
}, },
}, },
Dependencies: []string{
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
} }
} }
@ -239,6 +241,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
} }
} }
func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"secretName": {
SchemaProps: spec.SchemaProps{
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
Type: []string{"string"},
Format: "",
},
},
},
},
},
}
}
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition { func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{ return common.OpenAPIDefinition{
Schema: spec.Schema{ Schema: spec.Schema{

44
generated/1.19/crds/config.supervisor.pinniped.dev_oidcproviders.yaml generated
View File

@ -47,26 +47,32 @@ spec:
for more information." for more information."
minLength: 1 minLength: 1
type: string type: string
sniCertificateSecretName: tls:
description: "SNICertificateSecretName is an optional name of a Secret description: TLS configures how this OIDCProvider is served over Transport
in the same namespace, of type `kubernetes.io/tls`, which contains Layer Security (TLS).
the TLS serving certificate for the HTTPS endpoints served by this properties:
OIDC Provider. When provided, the TLS Secret named here must contain secretName:
keys named `tls.crt` and `tls.key` that contain the certificate description: "SecretName is an optional name of a Secret in the
and private key to use for TLS. \n Server Name Indication (SNI) same namespace, of type `kubernetes.io/tls`, which contains
is an extension to the Transport Layer Security (TLS) supported the TLS serving certificate for the HTTPS endpoints served by
by all major browsers. \n SNICertificateSecretName is required if this OIDCProvider. When provided, the TLS Secret named here
you would like to use different TLS certificates for issuers of must contain keys named `tls.crt` and `tls.key` that contain
different hostnames. SNI requests do not include port numbers, so the certificate and private key to use for TLS. \n Server Name
all issuers with the same DNS hostname must use the same SNICertificateSecretName Indication (SNI) is an extension to the Transport Layer Security
value even if they have different port numbers. \n SNICertificateSecretName (TLS) supported by all major browsers. \n SecretName is required
is not required when you would like to use only the HTTP endpoints if you would like to use different TLS certificates for issuers
(e.g. when terminating TLS at an Ingress). It is also not required of different hostnames. SNI requests do not include port numbers,
when you would like all requests to this OIDC Provider's HTTPS endpoints so all issuers with the same DNS hostname must use the same
to use the default TLS certificate, which is configured elsewhere. SecretName value even if they have different port numbers. \n
\n When your Issuer URL's host is an IP address, then this field SecretName is not required when you would like to use only the
is ignored. SNI does not work for IP addresses." HTTP endpoints (e.g. when terminating TLS at an Ingress). It
is also not required when you would like all requests to this
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
which is configured elsewhere. \n When your Issuer URL's host
is an IP address, then this field is ignored. SNI does not work
for IP addresses."
type: string type: string
type: object
required: required:
- issuer - issuer
type: object type: object

4
internal/controller/supervisorconfig/oidcproviderconfig_watcher.go
View File

@ -102,7 +102,9 @@ func (c *oidcProviderWatcherController) Sync(ctx controllerlib.Context) error {
setOfSecretNames = make(map[string]bool) setOfSecretNames = make(map[string]bool)
uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
} }
setOfSecretNames[opc.Spec.SNICertificateSecretName] = true if opc.Spec.TLS != nil {
setOfSecretNames[opc.Spec.TLS.SecretName] = true
}
} }
errs := multierror.New() errs := multierror.New()

8
internal/controller/supervisorconfig/oidcproviderconfig_watcher_test.go
View File

@ -820,7 +820,7 @@ func TestSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace}, ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace},
Spec: v1alpha1.OIDCProviderSpec{ Spec: v1alpha1.OIDCProviderSpec{
Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1", Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1",
SNICertificateSecretName: "secret1", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress1)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress1))
@ -831,7 +831,7 @@ func TestSync(t *testing.T) {
// Validation treats these as the same DNS hostname even though they have different port numbers, // Validation treats these as the same DNS hostname even though they have different port numbers,
// because SNI information on the incoming requests is not going to include port numbers. // because SNI information on the incoming requests is not going to include port numbers.
Issuer: "https://issuer-duplicate-address.com:1234/path2", Issuer: "https://issuer-duplicate-address.com:1234/path2",
SNICertificateSecretName: "secret2", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret2"},
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress2)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress2))
@ -841,7 +841,7 @@ func TestSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace}, ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace},
Spec: v1alpha1.OIDCProviderSpec{ Spec: v1alpha1.OIDCProviderSpec{
Issuer: "https://issuer-not-duplicate.com", Issuer: "https://issuer-not-duplicate.com",
SNICertificateSecretName: "secret1", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderDifferentIssuerAddress)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderDifferentIssuerAddress))
@ -856,7 +856,7 @@ func TestSync(t *testing.T) {
ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace}, ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace},
Spec: v1alpha1.OIDCProviderSpec{ Spec: v1alpha1.OIDCProviderSpec{
Issuer: invalidIssuerURL, Issuer: invalidIssuerURL,
SNICertificateSecretName: "secret1", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
}, },
} }
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderWithInvalidIssuerURL)) r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderWithInvalidIssuerURL))

5
internal/controller/supervisorconfig/tls_cert_observer.go
View File

@ -72,7 +72,10 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
issuerHostToTLSCertMap := map[string]*tls.Certificate{} issuerHostToTLSCertMap := map[string]*tls.Certificate{}
for _, provider := range allProviders { for _, provider := range allProviders {
secretName := provider.Spec.SNICertificateSecretName secretName := ""
if provider.Spec.TLS != nil {
secretName = provider.Spec.TLS.SecretName
}
issuerURL, err := url.Parse(provider.Spec.Issuer) issuerURL, err := url.Parse(provider.Spec.Issuer)
if err != nil { if err != nil {
klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer) klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)

8
internal/controller/supervisorconfig/tls_cert_observer_test.go
View File

@ -226,7 +226,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
}, },
Spec: v1alpha1.OIDCProviderSpec{ Spec: v1alpha1.OIDCProviderSpec{
Issuer: "https://no-secret-issuer2.com", Issuer: "https://no-secret-issuer2.com",
SNICertificateSecretName: "", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: ""},
}, },
} }
oidcProviderWithBadSecret := &v1alpha1.OIDCProvider{ oidcProviderWithBadSecret := &v1alpha1.OIDCProvider{
@ -236,7 +236,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
}, },
Spec: v1alpha1.OIDCProviderSpec{ Spec: v1alpha1.OIDCProviderSpec{
Issuer: "https://bad-secret-issuer.com", Issuer: "https://bad-secret-issuer.com",
SNICertificateSecretName: "bad-tls-secret-name", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "bad-tls-secret-name"},
}, },
} }
// Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs. // Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs.
@ -258,7 +258,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number. // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number.
Spec: v1alpha1.OIDCProviderSpec{ Spec: v1alpha1.OIDCProviderSpec{
Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path", Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
SNICertificateSecretName: "good-tls-secret-name1", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name1"},
}, },
} }
oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{ oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{
@ -269,7 +269,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number. // Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number.
Spec: v1alpha1.OIDCProviderSpec{ Spec: v1alpha1.OIDCProviderSpec{
Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path", Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
SNICertificateSecretName: "good-tls-secret-name2", TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name2"},
}, },
} }
testCrt1 := readTestFile("testdata/test.crt") testCrt1 := readTestFile("testdata/test.crt")

40
test/integration/supervisor_discovery_test.go
View File

@ -159,26 +159,26 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
hostname1 := strings.Split(address, ":")[0] hostname1 := strings.Split(address, ":")[0]
issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address) issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address)
sniCertificateSecretName1 := "integration-test-sni-cert-1" certSecretName1 := "integration-test-cert-1"
// Create an OIDCProvider with an sniCertificateSecretName. // Create an OIDCProvider with a spec.tls.secretName.
oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, sniCertificateSecretName1) oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, certSecretName1)
requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition) requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
// The sniCertificateSecretName Secret does not exist, so the endpoints should fail with TLS errors. // The spec.tls.secretName Secret does not exist, so the endpoints should fail with TLS errors.
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1) requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
// Create the Secret. // Create the Secret.
ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1, kubeClient) ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA. // Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil) _ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil)
// Update the config to take away the sniCertificateSecretName. // Update the config to with a new .spec.tls.secretName.
sniCertificateSecretName1update := "integration-test-sni-cert-1-update" certSecretName1update := "integration-test-cert-1-update"
oidcProvider1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Get(ctx, oidcProvider1.Name, metav1.GetOptions{}) oidcProvider1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Get(ctx, oidcProvider1.Name, metav1.GetOptions{})
require.NoError(t, err) require.NoError(t, err)
oidcProvider1LatestVersion.Spec.SNICertificateSecretName = sniCertificateSecretName1update oidcProvider1LatestVersion.Spec.TLS = &v1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName1update}
_, err = pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Update(ctx, oidcProvider1LatestVersion, metav1.UpdateOptions{}) _, err = pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Update(ctx, oidcProvider1LatestVersion, metav1.UpdateOptions{})
require.NoError(t, err) require.NoError(t, err)
@ -186,7 +186,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1) requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
// Create a Secret at the updated name. // Create a Secret at the updated name.
ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1update, kubeClient) ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1update, kubeClient)
// Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA. // Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil) _ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil)
@ -195,14 +195,14 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com" hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com"
hostnamePort2 := "2684" hostnamePort2 := "2684"
issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2) issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2)
sniCertificateSecretName2 := "integration-test-sni-cert-2" certSecretName2 := "integration-test-cert-2"
// Create an OIDCProvider with an sniCertificateSecretName. // Create an OIDCProvider with a spec.tls.secretName.
oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, sniCertificateSecretName2) oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, certSecretName2)
requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition) requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
// Create the Secret. // Create the Secret.
ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, sniCertificateSecretName2, kubeClient) ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, certSecretName2, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA. // Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{ _ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{
@ -240,11 +240,11 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort) issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort)
issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address) issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address)
// Create an OIDCProvider without an sniCertificateSecretName. // Create an OIDCProvider without a spec.tls.secretName.
oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "") oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "")
requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition) requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
// There is no default TLS cert and the sniCertificateSecretName was not set, so the endpoints should fail with TLS errors. // There is no default TLS cert and the spec.tls.secretName was not set, so the endpoints should fail with TLS errors.
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress) requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress)
// Create a Secret at the special name which represents the default TLS cert. // Create a Secret at the special name which represents the default TLS cert.
@ -253,18 +253,18 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
// Now that the Secret exists, we should be able to access the endpoints by IP address using the CA. // Now that the Secret exists, we should be able to access the endpoints by IP address using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil) _ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
// Create an OIDCProvider with an sniCertificateSecretName. // Create an OIDCProvider with a spec.tls.secretName.
sniCertificateSecretName := "integration-test-sni-cert-1" certSecretName := "integration-test-cert-1"
oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, sniCertificateSecretName) oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, certSecretName)
requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition) requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
// Create the Secret. // Create the Secret.
sniCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, sniCertificateSecretName, kubeClient) certCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, certSecretName, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert. // Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert.
// Hostnames are case-insensitive, so the request should still work even if the case of the hostname is different // Hostnames are case-insensitive, so the request should still work even if the case of the hostname is different
// from the case of the issuer URL's hostname. // from the case of the issuer URL's hostname.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(sniCA.Bundle()), issuerUsingHostname, nil) _ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(certCA.Bundle()), issuerUsingHostname, nil)
// And we can still access the other issuer using the default cert. // And we can still access the other issuer using the default cert.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil) _ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)

4
test/library/client.go
View File

@ -172,7 +172,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
// //
// If the provided issuer is not the empty string, then it will be used for the // If the provided issuer is not the empty string, then it will be used for the
// OIDCProvider.Spec.Issuer field. Else, a random issuer will be generated. // OIDCProvider.Spec.Issuer field. Else, a random issuer will be generated.
func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertificateSecretName string) *configv1alpha1.OIDCProvider { func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, certSecretName string) *configv1alpha1.OIDCProvider {
t.Helper() t.Helper()
testEnv := IntegrationEnv(t) testEnv := IntegrationEnv(t)
@ -194,7 +194,7 @@ func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertif
}, },
Spec: configv1alpha1.OIDCProviderSpec{ Spec: configv1alpha1.OIDCProviderSpec{
Issuer: issuer, Issuer: issuer,
SNICertificateSecretName: sniCertificateSecretName, TLS: &configv1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName},
}, },
}, metav1.CreateOptions{}) }, metav1.CreateOptions{})
require.NoError(t, err, "could not create test OIDCProvider") require.NoError(t, err, "could not create test OIDCProvider")