Replace the OIDCProvider field SNICertificateSecretName with a TLS.SecretName field.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
2b8773aa54
commit
2bf5c8b48b
@ -18,6 +18,29 @@ const (
|
|||||||
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||||
|
type OIDCProviderTLSSpec struct {
|
||||||
|
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
|
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
|
||||||
|
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
|
||||||
|
// for TLS.
|
||||||
|
//
|
||||||
|
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
||||||
|
//
|
||||||
|
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
|
||||||
|
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
|
||||||
|
// SecretName value even if they have different port numbers.
|
||||||
|
//
|
||||||
|
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
|
||||||
|
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
|
||||||
|
// use the default TLS certificate, which is configured elsewhere.
|
||||||
|
//
|
||||||
|
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
||||||
|
//
|
||||||
|
// +optional
|
||||||
|
SecretName string `json:"secretName,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
||||||
type OIDCProviderSpec struct {
|
type OIDCProviderSpec struct {
|
||||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||||
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Issuer string `json:"issuer"`
|
Issuer string `json:"issuer"`
|
||||||
|
|
||||||
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
|
// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
|
||||||
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
|
|
||||||
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
|
|
||||||
// contain the certificate and private key to use for TLS.
|
|
||||||
//
|
|
||||||
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is required if you would like to use different TLS certificates for
|
|
||||||
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
|
|
||||||
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is not required when you would like to use only the
|
|
||||||
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
|
|
||||||
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
|
||||||
// which is configured elsewhere.
|
|
||||||
//
|
|
||||||
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
|
|
||||||
// for IP addresses.
|
|
||||||
//
|
|
||||||
// +optional
|
// +optional
|
||||||
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
|
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
||||||
|
@ -146,9 +146,11 @@ spec:
|
|||||||
# The hostname would typically match the DNS name of the public ingress or load balancer for the cluster.
|
# The hostname would typically match the DNS name of the public ingress or load balancer for the cluster.
|
||||||
# Any path can be specified, which allows a single hostname to have multiple different issuers. The path is optional.
|
# Any path can be specified, which allows a single hostname to have multiple different issuers. The path is optional.
|
||||||
issuer: https://my-issuer.example.com/any/path
|
issuer: https://my-issuer.example.com/any/path
|
||||||
|
|
||||||
# Optionally configure the name of a Secret in the same namespace, of type `kubernetes.io/tls`,
|
# Optionally configure the name of a Secret in the same namespace, of type `kubernetes.io/tls`,
|
||||||
# which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
|
# which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
|
||||||
sniCertificateSecretName: my-tls-cert-secret
|
tls:
|
||||||
|
secretName: my-tls-cert-secret
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Configuring TLS for the Supervisor OIDC Endpoints
|
#### Configuring TLS for the Supervisor OIDC Endpoints
|
||||||
@ -159,17 +161,17 @@ configure TLS certificates on the OIDCProvider.
|
|||||||
If you are using a LoadBalancer Service to expose the Supervisor app outside your cluster, then you will
|
If you are using a LoadBalancer Service to expose the Supervisor app outside your cluster, then you will
|
||||||
also need to configure the Supervisor app to terminate TLS. There are two places to configure TLS certificates:
|
also need to configure the Supervisor app to terminate TLS. There are two places to configure TLS certificates:
|
||||||
|
|
||||||
1. Each `OIDCProvider` can be configured with TLS certificates, using the `sniCertificateSecretName` field.
|
1. Each `OIDCProvider` can be configured with TLS certificates, using the `spec.tls.secretName` field.
|
||||||
|
|
||||||
1. The default TLS certificate for all OIDC providers can be configured by creating a Secret called
|
1. The default TLS certificate for all OIDC providers can be configured by creating a Secret called
|
||||||
`pinniped-supervisor-default-tls-certificate` in the same namespace in which the Supervisor was installed.
|
`pinniped-supervisor-default-tls-certificate` in the same namespace in which the Supervisor was installed.
|
||||||
|
|
||||||
The default TLS certificate will be used for all OIDC providers which did not declare an `sniCertificateSecretName`.
|
The default TLS certificate will be used for all OIDC providers which did not declare a `spec.tls.secretName`.
|
||||||
Also, the `sniCertificateSecretName` will be ignored for incoming requests to the OIDC endpoints
|
Also, the `spec.tls.secretName` will be ignored for incoming requests to the OIDC endpoints
|
||||||
that use an IP address as the host, so those requests will always present the default TLS certificates
|
that use an IP address as the host, so those requests will always present the default TLS certificates
|
||||||
to the client. When the request includes the hostname, and that hostname matches the hostname of an `Issuer`,
|
to the client. When the request includes the hostname, and that hostname matches the hostname of an `Issuer`,
|
||||||
then the TLS certificate defined by the `sniCertificateSecretName` will be used. If that issuer did not
|
then the TLS certificate defined by the `spec.tls.secretName` will be used. If that issuer did not
|
||||||
define `sniCertificateSecretName` then the default TLS certificate will be used. If neither exists,
|
define `spec.tls.secretName` then the default TLS certificate will be used. If neither exists,
|
||||||
then the client will get a TLS error because the server will not present any TLS certificate.
|
then the client will get a TLS error because the server will not present any TLS certificate.
|
||||||
|
|
||||||
It is recommended that you have a DNS entry for your load balancer or Ingress, and that you configure the
|
It is recommended that you have a DNS entry for your load balancer or Ingress, and that you configure the
|
||||||
|
@ -47,26 +47,32 @@ spec:
|
|||||||
for more information."
|
for more information."
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
sniCertificateSecretName:
|
tls:
|
||||||
description: "SNICertificateSecretName is an optional name of a Secret
|
description: TLS configures how this OIDCProvider is served over Transport
|
||||||
in the same namespace, of type `kubernetes.io/tls`, which contains
|
Layer Security (TLS).
|
||||||
the TLS serving certificate for the HTTPS endpoints served by this
|
properties:
|
||||||
OIDC Provider. When provided, the TLS Secret named here must contain
|
secretName:
|
||||||
keys named `tls.crt` and `tls.key` that contain the certificate
|
description: "SecretName is an optional name of a Secret in the
|
||||||
and private key to use for TLS. \n Server Name Indication (SNI)
|
same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
is an extension to the Transport Layer Security (TLS) supported
|
the TLS serving certificate for the HTTPS endpoints served by
|
||||||
by all major browsers. \n SNICertificateSecretName is required if
|
this OIDCProvider. When provided, the TLS Secret named here
|
||||||
you would like to use different TLS certificates for issuers of
|
must contain keys named `tls.crt` and `tls.key` that contain
|
||||||
different hostnames. SNI requests do not include port numbers, so
|
the certificate and private key to use for TLS. \n Server Name
|
||||||
all issuers with the same DNS hostname must use the same SNICertificateSecretName
|
Indication (SNI) is an extension to the Transport Layer Security
|
||||||
value even if they have different port numbers. \n SNICertificateSecretName
|
(TLS) supported by all major browsers. \n SecretName is required
|
||||||
is not required when you would like to use only the HTTP endpoints
|
if you would like to use different TLS certificates for issuers
|
||||||
(e.g. when terminating TLS at an Ingress). It is also not required
|
of different hostnames. SNI requests do not include port numbers,
|
||||||
when you would like all requests to this OIDC Provider's HTTPS endpoints
|
so all issuers with the same DNS hostname must use the same
|
||||||
to use the default TLS certificate, which is configured elsewhere.
|
SecretName value even if they have different port numbers. \n
|
||||||
\n When your Issuer URL's host is an IP address, then this field
|
SecretName is not required when you would like to use only the
|
||||||
is ignored. SNI does not work for IP addresses."
|
HTTP endpoints (e.g. when terminating TLS at an Ingress). It
|
||||||
type: string
|
is also not required when you would like all requests to this
|
||||||
|
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
||||||
|
which is configured elsewhere. \n When your Issuer URL's host
|
||||||
|
is an IP address, then this field is ignored. SNI does not work
|
||||||
|
for IP addresses."
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
required:
|
required:
|
||||||
- issuer
|
- issuer
|
||||||
type: object
|
type: object
|
||||||
|
27
generated/1.17/README.adoc
generated
27
generated/1.17/README.adoc
generated
@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||||
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
|
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
|
||||||
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
|
||||||
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
|
|
||||||
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
|
|
||||||
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
|
|||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
|
||||||
|
==== OIDCProviderTLSSpec
|
||||||
|
|
||||||
|
OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||||
|
|
||||||
|
.Appears In:
|
||||||
|
****
|
||||||
|
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
|
||||||
|
****
|
||||||
|
|
||||||
|
[cols="25a,75a", options="header"]
|
||||||
|
|===
|
||||||
|
| Field | Description
|
||||||
|
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
|
||||||
|
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
||||||
|
SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.
|
||||||
|
SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
|
||||||
|
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
||||||
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
|
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
|
||||||
=== login.concierge.pinniped.dev/v1alpha1
|
=== login.concierge.pinniped.dev/v1alpha1
|
||||||
|
@ -18,6 +18,29 @@ const (
|
|||||||
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||||
|
type OIDCProviderTLSSpec struct {
|
||||||
|
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
|
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
|
||||||
|
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
|
||||||
|
// for TLS.
|
||||||
|
//
|
||||||
|
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
||||||
|
//
|
||||||
|
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
|
||||||
|
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
|
||||||
|
// SecretName value even if they have different port numbers.
|
||||||
|
//
|
||||||
|
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
|
||||||
|
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
|
||||||
|
// use the default TLS certificate, which is configured elsewhere.
|
||||||
|
//
|
||||||
|
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
||||||
|
//
|
||||||
|
// +optional
|
||||||
|
SecretName string `json:"secretName,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
||||||
type OIDCProviderSpec struct {
|
type OIDCProviderSpec struct {
|
||||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||||
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Issuer string `json:"issuer"`
|
Issuer string `json:"issuer"`
|
||||||
|
|
||||||
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
|
// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
|
||||||
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
|
|
||||||
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
|
|
||||||
// contain the certificate and private key to use for TLS.
|
|
||||||
//
|
|
||||||
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is required if you would like to use different TLS certificates for
|
|
||||||
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
|
|
||||||
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is not required when you would like to use only the
|
|
||||||
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
|
|
||||||
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
|
||||||
// which is configured elsewhere.
|
|
||||||
//
|
|
||||||
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
|
|
||||||
// for IP addresses.
|
|
||||||
//
|
|
||||||
// +optional
|
// +optional
|
||||||
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
|
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
||||||
|
@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
|
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.TLS != nil {
|
||||||
|
in, out := &in.TLS, &out.TLS
|
||||||
|
*out = new(OIDCProviderTLSSpec)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
|
|||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
|
||||||
|
func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(OIDCProviderTLSSpec)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
@ -17,61 +17,62 @@ import (
|
|||||||
|
|
||||||
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
|
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
|
||||||
return map[string]common.OpenAPIDefinition{
|
return map[string]common.OpenAPIDefinition{
|
||||||
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
|
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
|
||||||
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
|
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
|
||||||
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
|
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
|
||||||
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
|
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
|
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
|
"k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
|
"k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref),
|
"k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
|
||||||
|
"k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
|
|||||||
Format: "",
|
Format: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"sniCertificateSecretName": {
|
"tls": {
|
||||||
SchemaProps: spec.SchemaProps{
|
SchemaProps: spec.SchemaProps{
|
||||||
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
|
Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
|
||||||
Type: []string{"string"},
|
Ref: ref("go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
|
||||||
Format: "",
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Required: []string{"issuer"},
|
Required: []string{"issuer"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Dependencies: []string{
|
||||||
|
"go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
||||||
|
return common.OpenAPIDefinition{
|
||||||
|
Schema: spec.Schema{
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
|
||||||
|
Type: []string{"object"},
|
||||||
|
Properties: map[string]spec.Schema{
|
||||||
|
"secretName": {
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
|
||||||
|
Type: []string{"string"},
|
||||||
|
Format: "",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
||||||
return common.OpenAPIDefinition{
|
return common.OpenAPIDefinition{
|
||||||
Schema: spec.Schema{
|
Schema: spec.Schema{
|
||||||
|
@ -47,26 +47,32 @@ spec:
|
|||||||
for more information."
|
for more information."
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
sniCertificateSecretName:
|
tls:
|
||||||
description: "SNICertificateSecretName is an optional name of a Secret
|
description: TLS configures how this OIDCProvider is served over Transport
|
||||||
in the same namespace, of type `kubernetes.io/tls`, which contains
|
Layer Security (TLS).
|
||||||
the TLS serving certificate for the HTTPS endpoints served by this
|
properties:
|
||||||
OIDC Provider. When provided, the TLS Secret named here must contain
|
secretName:
|
||||||
keys named `tls.crt` and `tls.key` that contain the certificate
|
description: "SecretName is an optional name of a Secret in the
|
||||||
and private key to use for TLS. \n Server Name Indication (SNI)
|
same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
is an extension to the Transport Layer Security (TLS) supported
|
the TLS serving certificate for the HTTPS endpoints served by
|
||||||
by all major browsers. \n SNICertificateSecretName is required if
|
this OIDCProvider. When provided, the TLS Secret named here
|
||||||
you would like to use different TLS certificates for issuers of
|
must contain keys named `tls.crt` and `tls.key` that contain
|
||||||
different hostnames. SNI requests do not include port numbers, so
|
the certificate and private key to use for TLS. \n Server Name
|
||||||
all issuers with the same DNS hostname must use the same SNICertificateSecretName
|
Indication (SNI) is an extension to the Transport Layer Security
|
||||||
value even if they have different port numbers. \n SNICertificateSecretName
|
(TLS) supported by all major browsers. \n SecretName is required
|
||||||
is not required when you would like to use only the HTTP endpoints
|
if you would like to use different TLS certificates for issuers
|
||||||
(e.g. when terminating TLS at an Ingress). It is also not required
|
of different hostnames. SNI requests do not include port numbers,
|
||||||
when you would like all requests to this OIDC Provider's HTTPS endpoints
|
so all issuers with the same DNS hostname must use the same
|
||||||
to use the default TLS certificate, which is configured elsewhere.
|
SecretName value even if they have different port numbers. \n
|
||||||
\n When your Issuer URL's host is an IP address, then this field
|
SecretName is not required when you would like to use only the
|
||||||
is ignored. SNI does not work for IP addresses."
|
HTTP endpoints (e.g. when terminating TLS at an Ingress). It
|
||||||
type: string
|
is also not required when you would like all requests to this
|
||||||
|
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
||||||
|
which is configured elsewhere. \n When your Issuer URL's host
|
||||||
|
is an IP address, then this field is ignored. SNI does not work
|
||||||
|
for IP addresses."
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
required:
|
required:
|
||||||
- issuer
|
- issuer
|
||||||
type: object
|
type: object
|
||||||
|
27
generated/1.18/README.adoc
generated
27
generated/1.18/README.adoc
generated
@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||||
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
|
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
|
||||||
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
|
||||||
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
|
|
||||||
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
|
|
||||||
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
|
|||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
|
||||||
|
==== OIDCProviderTLSSpec
|
||||||
|
|
||||||
|
OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||||
|
|
||||||
|
.Appears In:
|
||||||
|
****
|
||||||
|
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
|
||||||
|
****
|
||||||
|
|
||||||
|
[cols="25a,75a", options="header"]
|
||||||
|
|===
|
||||||
|
| Field | Description
|
||||||
|
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
|
||||||
|
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
||||||
|
SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.
|
||||||
|
SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
|
||||||
|
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
||||||
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
|
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
|
||||||
=== login.concierge.pinniped.dev/v1alpha1
|
=== login.concierge.pinniped.dev/v1alpha1
|
||||||
|
@ -18,6 +18,29 @@ const (
|
|||||||
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||||
|
type OIDCProviderTLSSpec struct {
|
||||||
|
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
|
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
|
||||||
|
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
|
||||||
|
// for TLS.
|
||||||
|
//
|
||||||
|
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
||||||
|
//
|
||||||
|
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
|
||||||
|
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
|
||||||
|
// SecretName value even if they have different port numbers.
|
||||||
|
//
|
||||||
|
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
|
||||||
|
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
|
||||||
|
// use the default TLS certificate, which is configured elsewhere.
|
||||||
|
//
|
||||||
|
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
||||||
|
//
|
||||||
|
// +optional
|
||||||
|
SecretName string `json:"secretName,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
||||||
type OIDCProviderSpec struct {
|
type OIDCProviderSpec struct {
|
||||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||||
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Issuer string `json:"issuer"`
|
Issuer string `json:"issuer"`
|
||||||
|
|
||||||
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
|
// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
|
||||||
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
|
|
||||||
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
|
|
||||||
// contain the certificate and private key to use for TLS.
|
|
||||||
//
|
|
||||||
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is required if you would like to use different TLS certificates for
|
|
||||||
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
|
|
||||||
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is not required when you would like to use only the
|
|
||||||
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
|
|
||||||
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
|
||||||
// which is configured elsewhere.
|
|
||||||
//
|
|
||||||
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
|
|
||||||
// for IP addresses.
|
|
||||||
//
|
|
||||||
// +optional
|
// +optional
|
||||||
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
|
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
||||||
|
@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
|
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.TLS != nil {
|
||||||
|
in, out := &in.TLS, &out.TLS
|
||||||
|
*out = new(OIDCProviderTLSSpec)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
|
|||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
|
||||||
|
func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(OIDCProviderTLSSpec)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
@ -17,61 +17,62 @@ import (
|
|||||||
|
|
||||||
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
|
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
|
||||||
return map[string]common.OpenAPIDefinition{
|
return map[string]common.OpenAPIDefinition{
|
||||||
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
|
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
|
||||||
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
|
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
|
||||||
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
|
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
|
||||||
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
|
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
|
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
|
"k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
|
"k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref),
|
"k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
|
||||||
|
"k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -183,17 +184,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
|
|||||||
Format: "",
|
Format: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"sniCertificateSecretName": {
|
"tls": {
|
||||||
SchemaProps: spec.SchemaProps{
|
SchemaProps: spec.SchemaProps{
|
||||||
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
|
Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
|
||||||
Type: []string{"string"},
|
Ref: ref("go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
|
||||||
Format: "",
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Required: []string{"issuer"},
|
Required: []string{"issuer"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Dependencies: []string{
|
||||||
|
"go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -238,6 +240,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
||||||
|
return common.OpenAPIDefinition{
|
||||||
|
Schema: spec.Schema{
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
|
||||||
|
Type: []string{"object"},
|
||||||
|
Properties: map[string]spec.Schema{
|
||||||
|
"secretName": {
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
|
||||||
|
Type: []string{"string"},
|
||||||
|
Format: "",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
||||||
return common.OpenAPIDefinition{
|
return common.OpenAPIDefinition{
|
||||||
Schema: spec.Schema{
|
Schema: spec.Schema{
|
||||||
|
@ -47,26 +47,32 @@ spec:
|
|||||||
for more information."
|
for more information."
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
sniCertificateSecretName:
|
tls:
|
||||||
description: "SNICertificateSecretName is an optional name of a Secret
|
description: TLS configures how this OIDCProvider is served over Transport
|
||||||
in the same namespace, of type `kubernetes.io/tls`, which contains
|
Layer Security (TLS).
|
||||||
the TLS serving certificate for the HTTPS endpoints served by this
|
properties:
|
||||||
OIDC Provider. When provided, the TLS Secret named here must contain
|
secretName:
|
||||||
keys named `tls.crt` and `tls.key` that contain the certificate
|
description: "SecretName is an optional name of a Secret in the
|
||||||
and private key to use for TLS. \n Server Name Indication (SNI)
|
same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
is an extension to the Transport Layer Security (TLS) supported
|
the TLS serving certificate for the HTTPS endpoints served by
|
||||||
by all major browsers. \n SNICertificateSecretName is required if
|
this OIDCProvider. When provided, the TLS Secret named here
|
||||||
you would like to use different TLS certificates for issuers of
|
must contain keys named `tls.crt` and `tls.key` that contain
|
||||||
different hostnames. SNI requests do not include port numbers, so
|
the certificate and private key to use for TLS. \n Server Name
|
||||||
all issuers with the same DNS hostname must use the same SNICertificateSecretName
|
Indication (SNI) is an extension to the Transport Layer Security
|
||||||
value even if they have different port numbers. \n SNICertificateSecretName
|
(TLS) supported by all major browsers. \n SecretName is required
|
||||||
is not required when you would like to use only the HTTP endpoints
|
if you would like to use different TLS certificates for issuers
|
||||||
(e.g. when terminating TLS at an Ingress). It is also not required
|
of different hostnames. SNI requests do not include port numbers,
|
||||||
when you would like all requests to this OIDC Provider's HTTPS endpoints
|
so all issuers with the same DNS hostname must use the same
|
||||||
to use the default TLS certificate, which is configured elsewhere.
|
SecretName value even if they have different port numbers. \n
|
||||||
\n When your Issuer URL's host is an IP address, then this field
|
SecretName is not required when you would like to use only the
|
||||||
is ignored. SNI does not work for IP addresses."
|
HTTP endpoints (e.g. when terminating TLS at an Ingress). It
|
||||||
type: string
|
is also not required when you would like all requests to this
|
||||||
|
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
||||||
|
which is configured elsewhere. \n When your Issuer URL's host
|
||||||
|
is an IP address, then this field is ignored. SNI does not work
|
||||||
|
for IP addresses."
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
required:
|
required:
|
||||||
- issuer
|
- issuer
|
||||||
type: object
|
type: object
|
||||||
|
27
generated/1.19/README.adoc
generated
27
generated/1.19/README.adoc
generated
@ -254,11 +254,7 @@ OIDCProviderSpec is a struct that describes an OIDC Provider.
|
|||||||
| Field | Description
|
| Field | Description
|
||||||
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
| *`issuer`* __string__ | Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the identifier that it will use for the iss claim in issued JWTs. This field will also be used as the base URL for any endpoints used by the OIDC Provider (e.g., if your issuer is https://example.com/foo, then your authorization endpoint will look like https://example.com/foo/some/path/to/auth/endpoint).
|
||||||
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
See https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3 for more information.
|
||||||
| *`sniCertificateSecretName`* __string__ | SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
|
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec[$$OIDCProviderTLSSpec$$]__ | TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
|
||||||
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
|
||||||
SNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
|
|
||||||
SNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
|
|
||||||
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
|
||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
@ -282,6 +278,27 @@ OIDCProviderStatus is a struct that describes the actual state of an OIDC Provid
|
|||||||
|===
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcprovidertlsspec"]
|
||||||
|
==== OIDCProviderTLSSpec
|
||||||
|
|
||||||
|
OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||||
|
|
||||||
|
.Appears In:
|
||||||
|
****
|
||||||
|
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-config-v1alpha1-oidcproviderspec[$$OIDCProviderSpec$$]
|
||||||
|
****
|
||||||
|
|
||||||
|
[cols="25a,75a", options="header"]
|
||||||
|
|===
|
||||||
|
| Field | Description
|
||||||
|
| *`secretName`* __string__ | SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.
|
||||||
|
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
||||||
|
SecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.
|
||||||
|
SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.
|
||||||
|
When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
||||||
|
|===
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
|
[id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"]
|
||||||
=== login.concierge.pinniped.dev/v1alpha1
|
=== login.concierge.pinniped.dev/v1alpha1
|
||||||
|
@ -18,6 +18,29 @@ const (
|
|||||||
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
InvalidOIDCProviderStatusCondition = OIDCProviderStatusCondition("Invalid")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.
|
||||||
|
type OIDCProviderTLSSpec struct {
|
||||||
|
// SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
|
// the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret
|
||||||
|
// named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use
|
||||||
|
// for TLS.
|
||||||
|
//
|
||||||
|
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
||||||
|
//
|
||||||
|
// SecretName is required if you would like to use different TLS certificates for issuers of different hostnames.
|
||||||
|
// SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same
|
||||||
|
// SecretName value even if they have different port numbers.
|
||||||
|
//
|
||||||
|
// SecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an
|
||||||
|
// Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to
|
||||||
|
// use the default TLS certificate, which is configured elsewhere.
|
||||||
|
//
|
||||||
|
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.
|
||||||
|
//
|
||||||
|
// +optional
|
||||||
|
SecretName string `json:"secretName,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
// OIDCProviderSpec is a struct that describes an OIDC Provider.
|
||||||
type OIDCProviderSpec struct {
|
type OIDCProviderSpec struct {
|
||||||
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
// Issuer is the OIDC Provider's issuer, per the OIDC Discovery Metadata document, as well as the
|
||||||
@ -31,27 +54,9 @@ type OIDCProviderSpec struct {
|
|||||||
// +kubebuilder:validation:MinLength=1
|
// +kubebuilder:validation:MinLength=1
|
||||||
Issuer string `json:"issuer"`
|
Issuer string `json:"issuer"`
|
||||||
|
|
||||||
// SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`,
|
// TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).
|
||||||
// which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider.
|
|
||||||
// When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that
|
|
||||||
// contain the certificate and private key to use for TLS.
|
|
||||||
//
|
|
||||||
// Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is required if you would like to use different TLS certificates for
|
|
||||||
// issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same
|
|
||||||
// DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.
|
|
||||||
//
|
|
||||||
// SNICertificateSecretName is not required when you would like to use only the
|
|
||||||
// HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you
|
|
||||||
// would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
|
||||||
// which is configured elsewhere.
|
|
||||||
//
|
|
||||||
// When your Issuer URL's host is an IP address, then this field is ignored. SNI does not work
|
|
||||||
// for IP addresses.
|
|
||||||
//
|
|
||||||
// +optional
|
// +optional
|
||||||
SNICertificateSecretName string `json:"sniCertificateSecretName,omitempty"`
|
TLS *OIDCProviderTLSSpec `json:"tls,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
// OIDCProviderStatus is a struct that describes the actual state of an OIDC Provider.
|
||||||
|
@ -16,7 +16,7 @@ func (in *OIDCProvider) DeepCopyInto(out *OIDCProvider) {
|
|||||||
*out = *in
|
*out = *in
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
out.Spec = in.Spec
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
in.Status.DeepCopyInto(&out.Status)
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -75,6 +75,11 @@ func (in *OIDCProviderList) DeepCopyObject() runtime.Object {
|
|||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
|
func (in *OIDCProviderSpec) DeepCopyInto(out *OIDCProviderSpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.TLS != nil {
|
||||||
|
in, out := &in.TLS, &out.TLS
|
||||||
|
*out = new(OIDCProviderTLSSpec)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -108,3 +113,19 @@ func (in *OIDCProviderStatus) DeepCopy() *OIDCProviderStatus {
|
|||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *OIDCProviderTLSSpec) DeepCopyInto(out *OIDCProviderTLSSpec) {
|
||||||
|
*out = *in
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCProviderTLSSpec.
|
||||||
|
func (in *OIDCProviderTLSSpec) DeepCopy() *OIDCProviderTLSSpec {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(OIDCProviderTLSSpec)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
@ -17,62 +17,63 @@ import (
|
|||||||
|
|
||||||
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
|
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
|
||||||
return map[string]common.OpenAPIDefinition{
|
return map[string]common.OpenAPIDefinition{
|
||||||
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
|
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProvider": schema_apis_supervisor_config_v1alpha1_OIDCProvider(ref),
|
||||||
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
|
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderList": schema_apis_supervisor_config_v1alpha1_OIDCProviderList(ref),
|
||||||
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
|
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref),
|
||||||
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
|
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderStatus": schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
|
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec": schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroup": schema_pkg_apis_meta_v1_APIGroup(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIGroupList": schema_pkg_apis_meta_v1_APIGroupList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResource": schema_pkg_apis_meta_v1_APIResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIResourceList": schema_pkg_apis_meta_v1_APIResourceList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Condition": schema_pkg_apis_meta_v1_Condition(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.APIVersions": schema_pkg_apis_meta_v1_APIVersions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Condition": schema_pkg_apis_meta_v1_Condition(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.CreateOptions": schema_pkg_apis_meta_v1_CreateOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.DeleteOptions": schema_pkg_apis_meta_v1_DeleteOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Duration": schema_pkg_apis_meta_v1_Duration(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ExportOptions": schema_pkg_apis_meta_v1_ExportOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.FieldsV1": schema_pkg_apis_meta_v1_FieldsV1(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GetOptions": schema_pkg_apis_meta_v1_GetOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupKind": schema_pkg_apis_meta_v1_GroupKind(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupResource": schema_pkg_apis_meta_v1_GroupResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersion": schema_pkg_apis_meta_v1_GroupVersion(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionForDiscovery": schema_pkg_apis_meta_v1_GroupVersionForDiscovery(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionKind": schema_pkg_apis_meta_v1_GroupVersionKind(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.GroupVersionResource": schema_pkg_apis_meta_v1_GroupVersionResource(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.InternalEvent": schema_pkg_apis_meta_v1_InternalEvent(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelector": schema_pkg_apis_meta_v1_LabelSelector(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.LabelSelectorRequirement": schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.List": schema_pkg_apis_meta_v1_List(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta": schema_pkg_apis_meta_v1_ListMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ListOptions": schema_pkg_apis_meta_v1_ListOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ManagedFieldsEntry": schema_pkg_apis_meta_v1_ManagedFieldsEntry(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.MicroTime": schema_pkg_apis_meta_v1_MicroTime(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta": schema_pkg_apis_meta_v1_ObjectMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.OwnerReference": schema_pkg_apis_meta_v1_OwnerReference(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadata": schema_pkg_apis_meta_v1_PartialObjectMetadata(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PartialObjectMetadataList": schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Patch": schema_pkg_apis_meta_v1_Patch(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.PatchOptions": schema_pkg_apis_meta_v1_PatchOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Preconditions": schema_pkg_apis_meta_v1_Preconditions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.RootPaths": schema_pkg_apis_meta_v1_RootPaths(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.ServerAddressByClientCIDR": schema_pkg_apis_meta_v1_ServerAddressByClientCIDR(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Status": schema_pkg_apis_meta_v1_Status(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusCause": schema_pkg_apis_meta_v1_StatusCause(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.StatusDetails": schema_pkg_apis_meta_v1_StatusDetails(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Table": schema_pkg_apis_meta_v1_Table(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableColumnDefinition": schema_pkg_apis_meta_v1_TableColumnDefinition(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableOptions": schema_pkg_apis_meta_v1_TableOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRow": schema_pkg_apis_meta_v1_TableRow(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TableRowCondition": schema_pkg_apis_meta_v1_TableRowCondition(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Time": schema_pkg_apis_meta_v1_Time(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.Timestamp": schema_pkg_apis_meta_v1_Timestamp(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta": schema_pkg_apis_meta_v1_TypeMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.UpdateOptions": schema_pkg_apis_meta_v1_UpdateOptions(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
|
"k8s.io/apimachinery/pkg/apis/meta/v1.WatchEvent": schema_pkg_apis_meta_v1_WatchEvent(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
|
"k8s.io/apimachinery/pkg/runtime.RawExtension": schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref),
|
||||||
"k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
|
"k8s.io/apimachinery/pkg/runtime.TypeMeta": schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
|
||||||
"k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref),
|
"k8s.io/apimachinery/pkg/runtime.Unknown": schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
|
||||||
|
"k8s.io/apimachinery/pkg/version.Info": schema_k8sio_apimachinery_pkg_version_Info(ref),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -184,17 +185,18 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderSpec(ref common.Referenc
|
|||||||
Format: "",
|
Format: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"sniCertificateSecretName": {
|
"tls": {
|
||||||
SchemaProps: spec.SchemaProps{
|
SchemaProps: spec.SchemaProps{
|
||||||
Description: "SNICertificateSecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDC Provider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSNICertificateSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SNICertificateSecretName value even if they have different port numbers.\n\nSNICertificateSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
|
Description: "TLS configures how this OIDCProvider is served over Transport Layer Security (TLS).",
|
||||||
Type: []string{"string"},
|
Ref: ref("go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"),
|
||||||
Format: "",
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Required: []string{"issuer"},
|
Required: []string{"issuer"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Dependencies: []string{
|
||||||
|
"go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1.OIDCProviderTLSSpec"},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -239,6 +241,26 @@ func schema_apis_supervisor_config_v1alpha1_OIDCProviderStatus(ref common.Refere
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func schema_apis_supervisor_config_v1alpha1_OIDCProviderTLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
||||||
|
return common.OpenAPIDefinition{
|
||||||
|
Schema: spec.Schema{
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC Provider.",
|
||||||
|
Type: []string{"object"},
|
||||||
|
Properties: map[string]spec.Schema{
|
||||||
|
"secretName": {
|
||||||
|
SchemaProps: spec.SchemaProps{
|
||||||
|
Description: "SecretName is an optional name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the HTTPS endpoints served by this OIDCProvider. When provided, the TLS Secret named here must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key to use for TLS.\n\nServer Name Indication (SNI) is an extension to the Transport Layer Security (TLS) supported by all major browsers.\n\nSecretName is required if you would like to use different TLS certificates for issuers of different hostnames. SNI requests do not include port numbers, so all issuers with the same DNS hostname must use the same SecretName value even if they have different port numbers.\n\nSecretName is not required when you would like to use only the HTTP endpoints (e.g. when terminating TLS at an Ingress). It is also not required when you would like all requests to this OIDC Provider's HTTPS endpoints to use the default TLS certificate, which is configured elsewhere.\n\nWhen your Issuer URL's host is an IP address, then this field is ignored. SNI does not work for IP addresses.",
|
||||||
|
Type: []string{"string"},
|
||||||
|
Format: "",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenAPIDefinition {
|
||||||
return common.OpenAPIDefinition{
|
return common.OpenAPIDefinition{
|
||||||
Schema: spec.Schema{
|
Schema: spec.Schema{
|
||||||
|
@ -47,26 +47,32 @@ spec:
|
|||||||
for more information."
|
for more information."
|
||||||
minLength: 1
|
minLength: 1
|
||||||
type: string
|
type: string
|
||||||
sniCertificateSecretName:
|
tls:
|
||||||
description: "SNICertificateSecretName is an optional name of a Secret
|
description: TLS configures how this OIDCProvider is served over Transport
|
||||||
in the same namespace, of type `kubernetes.io/tls`, which contains
|
Layer Security (TLS).
|
||||||
the TLS serving certificate for the HTTPS endpoints served by this
|
properties:
|
||||||
OIDC Provider. When provided, the TLS Secret named here must contain
|
secretName:
|
||||||
keys named `tls.crt` and `tls.key` that contain the certificate
|
description: "SecretName is an optional name of a Secret in the
|
||||||
and private key to use for TLS. \n Server Name Indication (SNI)
|
same namespace, of type `kubernetes.io/tls`, which contains
|
||||||
is an extension to the Transport Layer Security (TLS) supported
|
the TLS serving certificate for the HTTPS endpoints served by
|
||||||
by all major browsers. \n SNICertificateSecretName is required if
|
this OIDCProvider. When provided, the TLS Secret named here
|
||||||
you would like to use different TLS certificates for issuers of
|
must contain keys named `tls.crt` and `tls.key` that contain
|
||||||
different hostnames. SNI requests do not include port numbers, so
|
the certificate and private key to use for TLS. \n Server Name
|
||||||
all issuers with the same DNS hostname must use the same SNICertificateSecretName
|
Indication (SNI) is an extension to the Transport Layer Security
|
||||||
value even if they have different port numbers. \n SNICertificateSecretName
|
(TLS) supported by all major browsers. \n SecretName is required
|
||||||
is not required when you would like to use only the HTTP endpoints
|
if you would like to use different TLS certificates for issuers
|
||||||
(e.g. when terminating TLS at an Ingress). It is also not required
|
of different hostnames. SNI requests do not include port numbers,
|
||||||
when you would like all requests to this OIDC Provider's HTTPS endpoints
|
so all issuers with the same DNS hostname must use the same
|
||||||
to use the default TLS certificate, which is configured elsewhere.
|
SecretName value even if they have different port numbers. \n
|
||||||
\n When your Issuer URL's host is an IP address, then this field
|
SecretName is not required when you would like to use only the
|
||||||
is ignored. SNI does not work for IP addresses."
|
HTTP endpoints (e.g. when terminating TLS at an Ingress). It
|
||||||
type: string
|
is also not required when you would like all requests to this
|
||||||
|
OIDC Provider's HTTPS endpoints to use the default TLS certificate,
|
||||||
|
which is configured elsewhere. \n When your Issuer URL's host
|
||||||
|
is an IP address, then this field is ignored. SNI does not work
|
||||||
|
for IP addresses."
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
required:
|
required:
|
||||||
- issuer
|
- issuer
|
||||||
type: object
|
type: object
|
||||||
|
@ -102,7 +102,9 @@ func (c *oidcProviderWatcherController) Sync(ctx controllerlib.Context) error {
|
|||||||
setOfSecretNames = make(map[string]bool)
|
setOfSecretNames = make(map[string]bool)
|
||||||
uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
|
uniqueSecretNamesPerIssuerAddress[issuerURLToHostnameKey(issuerURL)] = setOfSecretNames
|
||||||
}
|
}
|
||||||
setOfSecretNames[opc.Spec.SNICertificateSecretName] = true
|
if opc.Spec.TLS != nil {
|
||||||
|
setOfSecretNames[opc.Spec.TLS.SecretName] = true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
errs := multierror.New()
|
errs := multierror.New()
|
||||||
|
@ -819,8 +819,8 @@ func TestSync(t *testing.T) {
|
|||||||
oidcProviderSameIssuerAddress1 = &v1alpha1.OIDCProvider{
|
oidcProviderSameIssuerAddress1 = &v1alpha1.OIDCProvider{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace},
|
ObjectMeta: metav1.ObjectMeta{Name: "provider1", Namespace: namespace},
|
||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1",
|
Issuer: "https://iSSueR-duPlicAte-adDress.cOm/path1",
|
||||||
SNICertificateSecretName: "secret1",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress1))
|
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress1))
|
||||||
@ -830,8 +830,8 @@ func TestSync(t *testing.T) {
|
|||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
// Validation treats these as the same DNS hostname even though they have different port numbers,
|
// Validation treats these as the same DNS hostname even though they have different port numbers,
|
||||||
// because SNI information on the incoming requests is not going to include port numbers.
|
// because SNI information on the incoming requests is not going to include port numbers.
|
||||||
Issuer: "https://issuer-duplicate-address.com:1234/path2",
|
Issuer: "https://issuer-duplicate-address.com:1234/path2",
|
||||||
SNICertificateSecretName: "secret2",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret2"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress2))
|
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderSameIssuerAddress2))
|
||||||
@ -840,8 +840,8 @@ func TestSync(t *testing.T) {
|
|||||||
oidcProviderDifferentIssuerAddress = &v1alpha1.OIDCProvider{
|
oidcProviderDifferentIssuerAddress = &v1alpha1.OIDCProvider{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace},
|
ObjectMeta: metav1.ObjectMeta{Name: "differentIssuerAddressProvider", Namespace: namespace},
|
||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
Issuer: "https://issuer-not-duplicate.com",
|
Issuer: "https://issuer-not-duplicate.com",
|
||||||
SNICertificateSecretName: "secret1",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderDifferentIssuerAddress))
|
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderDifferentIssuerAddress))
|
||||||
@ -855,8 +855,8 @@ func TestSync(t *testing.T) {
|
|||||||
oidcProviderWithInvalidIssuerURL = &v1alpha1.OIDCProvider{
|
oidcProviderWithInvalidIssuerURL = &v1alpha1.OIDCProvider{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace},
|
ObjectMeta: metav1.ObjectMeta{Name: "invalidIssuerURLProvider", Namespace: namespace},
|
||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
Issuer: invalidIssuerURL,
|
Issuer: invalidIssuerURL,
|
||||||
SNICertificateSecretName: "secret1",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "secret1"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderWithInvalidIssuerURL))
|
r.NoError(pinnipedAPIClient.Tracker().Add(oidcProviderWithInvalidIssuerURL))
|
||||||
|
@ -72,7 +72,10 @@ func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
|
|||||||
issuerHostToTLSCertMap := map[string]*tls.Certificate{}
|
issuerHostToTLSCertMap := map[string]*tls.Certificate{}
|
||||||
|
|
||||||
for _, provider := range allProviders {
|
for _, provider := range allProviders {
|
||||||
secretName := provider.Spec.SNICertificateSecretName
|
secretName := ""
|
||||||
|
if provider.Spec.TLS != nil {
|
||||||
|
secretName = provider.Spec.TLS.SecretName
|
||||||
|
}
|
||||||
issuerURL, err := url.Parse(provider.Spec.Issuer)
|
issuerURL, err := url.Parse(provider.Spec.Issuer)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)
|
klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)
|
||||||
|
@ -225,8 +225,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
|
|||||||
Namespace: installedInNamespace,
|
Namespace: installedInNamespace,
|
||||||
},
|
},
|
||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
Issuer: "https://no-secret-issuer2.com",
|
Issuer: "https://no-secret-issuer2.com",
|
||||||
SNICertificateSecretName: "",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: ""},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
oidcProviderWithBadSecret := &v1alpha1.OIDCProvider{
|
oidcProviderWithBadSecret := &v1alpha1.OIDCProvider{
|
||||||
@ -235,8 +235,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
|
|||||||
Namespace: installedInNamespace,
|
Namespace: installedInNamespace,
|
||||||
},
|
},
|
||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
Issuer: "https://bad-secret-issuer.com",
|
Issuer: "https://bad-secret-issuer.com",
|
||||||
SNICertificateSecretName: "bad-tls-secret-name",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "bad-tls-secret-name"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
// Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs.
|
// Also add one with a URL that cannot be parsed to make sure that the controller is not confused by invalid URLs.
|
||||||
@ -257,8 +257,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
|
|||||||
},
|
},
|
||||||
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number.
|
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test without a port number.
|
||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
|
Issuer: "https://www.iSSuer-wiTh-goOd-secRet1.cOm/path",
|
||||||
SNICertificateSecretName: "good-tls-secret-name1",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name1"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{
|
oidcProviderWithGoodSecret2 := &v1alpha1.OIDCProvider{
|
||||||
@ -268,8 +268,8 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
|
|||||||
},
|
},
|
||||||
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number.
|
// Issuer hostname should be treated in a case-insensitive way and SNI ignores port numbers. Test with a port number.
|
||||||
Spec: v1alpha1.OIDCProviderSpec{
|
Spec: v1alpha1.OIDCProviderSpec{
|
||||||
Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
|
Issuer: "https://www.issUEr-WIth-gOOd-seCret2.com:1234/path",
|
||||||
SNICertificateSecretName: "good-tls-secret-name2",
|
TLS: &v1alpha1.OIDCProviderTLSSpec{SecretName: "good-tls-secret-name2"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
testCrt1 := readTestFile("testdata/test.crt")
|
testCrt1 := readTestFile("testdata/test.crt")
|
||||||
|
@ -159,26 +159,26 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
|
|||||||
|
|
||||||
hostname1 := strings.Split(address, ":")[0]
|
hostname1 := strings.Split(address, ":")[0]
|
||||||
issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address)
|
issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address)
|
||||||
sniCertificateSecretName1 := "integration-test-sni-cert-1"
|
certSecretName1 := "integration-test-cert-1"
|
||||||
|
|
||||||
// Create an OIDCProvider with an sniCertificateSecretName.
|
// Create an OIDCProvider with a spec.tls.secretName.
|
||||||
oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, sniCertificateSecretName1)
|
oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuer1, certSecretName1)
|
||||||
requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
||||||
|
|
||||||
// The sniCertificateSecretName Secret does not exist, so the endpoints should fail with TLS errors.
|
// The spec.tls.secretName Secret does not exist, so the endpoints should fail with TLS errors.
|
||||||
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
|
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
|
||||||
|
|
||||||
// Create the Secret.
|
// Create the Secret.
|
||||||
ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1, kubeClient)
|
ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1, kubeClient)
|
||||||
|
|
||||||
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
|
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
|
||||||
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil)
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil)
|
||||||
|
|
||||||
// Update the config to take away the sniCertificateSecretName.
|
// Update the config to with a new .spec.tls.secretName.
|
||||||
sniCertificateSecretName1update := "integration-test-sni-cert-1-update"
|
certSecretName1update := "integration-test-cert-1-update"
|
||||||
oidcProvider1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Get(ctx, oidcProvider1.Name, metav1.GetOptions{})
|
oidcProvider1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Get(ctx, oidcProvider1.Name, metav1.GetOptions{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
oidcProvider1LatestVersion.Spec.SNICertificateSecretName = sniCertificateSecretName1update
|
oidcProvider1LatestVersion.Spec.TLS = &v1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName1update}
|
||||||
_, err = pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Update(ctx, oidcProvider1LatestVersion, metav1.UpdateOptions{})
|
_, err = pinnipedClient.ConfigV1alpha1().OIDCProviders(ns).Update(ctx, oidcProvider1LatestVersion, metav1.UpdateOptions{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
@ -186,7 +186,7 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
|
|||||||
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
|
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
|
||||||
|
|
||||||
// Create a Secret at the updated name.
|
// Create a Secret at the updated name.
|
||||||
ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1update, kubeClient)
|
ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, certSecretName1update, kubeClient)
|
||||||
|
|
||||||
// Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA.
|
// Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA.
|
||||||
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil)
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil)
|
||||||
@ -195,14 +195,14 @@ func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
|
|||||||
hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com"
|
hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com"
|
||||||
hostnamePort2 := "2684"
|
hostnamePort2 := "2684"
|
||||||
issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2)
|
issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2)
|
||||||
sniCertificateSecretName2 := "integration-test-sni-cert-2"
|
certSecretName2 := "integration-test-cert-2"
|
||||||
|
|
||||||
// Create an OIDCProvider with an sniCertificateSecretName.
|
// Create an OIDCProvider with a spec.tls.secretName.
|
||||||
oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, sniCertificateSecretName2)
|
oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuer2, certSecretName2)
|
||||||
requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
||||||
|
|
||||||
// Create the Secret.
|
// Create the Secret.
|
||||||
ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, sniCertificateSecretName2, kubeClient)
|
ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, certSecretName2, kubeClient)
|
||||||
|
|
||||||
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
|
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
|
||||||
_ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{
|
||||||
@ -240,11 +240,11 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
|
|||||||
issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort)
|
issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort)
|
||||||
issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address)
|
issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address)
|
||||||
|
|
||||||
// Create an OIDCProvider without an sniCertificateSecretName.
|
// Create an OIDCProvider without a spec.tls.secretName.
|
||||||
oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "")
|
oidcProvider1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "")
|
||||||
requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
requireStatus(t, pinnipedClient, oidcProvider1.Namespace, oidcProvider1.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
||||||
|
|
||||||
// There is no default TLS cert and the sniCertificateSecretName was not set, so the endpoints should fail with TLS errors.
|
// There is no default TLS cert and the spec.tls.secretName was not set, so the endpoints should fail with TLS errors.
|
||||||
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress)
|
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress)
|
||||||
|
|
||||||
// Create a Secret at the special name which represents the default TLS cert.
|
// Create a Secret at the special name which represents the default TLS cert.
|
||||||
@ -253,18 +253,18 @@ func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
|
|||||||
// Now that the Secret exists, we should be able to access the endpoints by IP address using the CA.
|
// Now that the Secret exists, we should be able to access the endpoints by IP address using the CA.
|
||||||
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
|
||||||
|
|
||||||
// Create an OIDCProvider with an sniCertificateSecretName.
|
// Create an OIDCProvider with a spec.tls.secretName.
|
||||||
sniCertificateSecretName := "integration-test-sni-cert-1"
|
certSecretName := "integration-test-cert-1"
|
||||||
oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, sniCertificateSecretName)
|
oidcProvider2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, certSecretName)
|
||||||
requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
requireStatus(t, pinnipedClient, oidcProvider2.Namespace, oidcProvider2.Name, v1alpha1.SuccessOIDCProviderStatusCondition)
|
||||||
|
|
||||||
// Create the Secret.
|
// Create the Secret.
|
||||||
sniCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, sniCertificateSecretName, kubeClient)
|
certCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, certSecretName, kubeClient)
|
||||||
|
|
||||||
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert.
|
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert.
|
||||||
// Hostnames are case-insensitive, so the request should still work even if the case of the hostname is different
|
// Hostnames are case-insensitive, so the request should still work even if the case of the hostname is different
|
||||||
// from the case of the issuer URL's hostname.
|
// from the case of the issuer URL's hostname.
|
||||||
_ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(sniCA.Bundle()), issuerUsingHostname, nil)
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, strings.ToUpper(hostname)+":"+port, string(certCA.Bundle()), issuerUsingHostname, nil)
|
||||||
|
|
||||||
// And we can still access the other issuer using the default cert.
|
// And we can still access the other issuer using the default cert.
|
||||||
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
|
||||||
|
@ -172,7 +172,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
|
|||||||
//
|
//
|
||||||
// If the provided issuer is not the empty string, then it will be used for the
|
// If the provided issuer is not the empty string, then it will be used for the
|
||||||
// OIDCProvider.Spec.Issuer field. Else, a random issuer will be generated.
|
// OIDCProvider.Spec.Issuer field. Else, a random issuer will be generated.
|
||||||
func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertificateSecretName string) *configv1alpha1.OIDCProvider {
|
func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, certSecretName string) *configv1alpha1.OIDCProvider {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
testEnv := IntegrationEnv(t)
|
testEnv := IntegrationEnv(t)
|
||||||
|
|
||||||
@ -193,8 +193,8 @@ func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer, sniCertif
|
|||||||
Annotations: map[string]string{"pinniped.dev/testName": t.Name()},
|
Annotations: map[string]string{"pinniped.dev/testName": t.Name()},
|
||||||
},
|
},
|
||||||
Spec: configv1alpha1.OIDCProviderSpec{
|
Spec: configv1alpha1.OIDCProviderSpec{
|
||||||
Issuer: issuer,
|
Issuer: issuer,
|
||||||
SNICertificateSecretName: sniCertificateSecretName,
|
TLS: &configv1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName},
|
||||||
},
|
},
|
||||||
}, metav1.CreateOptions{})
|
}, metav1.CreateOptions{})
|
||||||
require.NoError(t, err, "could not create test OIDCProvider")
|
require.NoError(t, err, "could not create test OIDCProvider")
|
||||||
|
Loading…
Reference in New Issue
Block a user