djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into arch-doc

Browse Source
This commit is contained in:
Ryan Richard 2020-09-15 14:02:21 -07:00
commit 321c6a5392
173 changed files with 8412 additions and 528 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitattributes vendored Normal file
View File

@ -0,0 +1,2 @@
*.go.tmpl linguist-language=Go
generated/** linguist-generated

9
ADOPTERS.md Normal file
View File

@ -0,0 +1,9 @@
# Pinniped Adopters
These organizations are using Pinniped.
* [VMware Tanzu](https://tanzu.vmware.com/) ([Tanzu Mission Control](https://tanzu.vmware.com/mission-control))
If you are using Pinniped and are not on this list, you can open a [pull
request](https://github.com/suzerain-io/pinniped/issues/new?template=feature-proposal.md)
to add yourself.

17
MAINTAINERS.md Normal file
View File

@ -0,0 +1,17 @@
# Pinniped Maintainers
This is the current list of maintainers for the Pinniped project.
| Maintainer | GitHub ID | Affiliation |
| --------------- | --------- | ----------- |
| Andrew Keesler | [ankeesler](https://github.com/ankeesler) | [VMware](https://www.github.com/vmware/) |
| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) | [VMware](https://www.github.com/vmware/) |
| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) | [VMware](https://www.github.com/vmware/) |
| Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) |
## Pinniped Contributors & Stakeholders
| Feature Area | Lead |
| ----------------------------- | :---------------------: |
| Technical Lead | Matt Moyer (mattmoyer) |
| Product Management | Pablo Schuhmacher (pabloschuhmacher) |

4
README.md
View File

@ -34,6 +34,10 @@ To learn more, see [architecture.md](doc/architecture.md).
![example-deployment-architecture](doc/img/pinniped-architecture.svg)
## Trying Pinniped
Care to kick the tires? It's easy to [install and try Pinniped](doc/demo.md).
## Installation
Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod

10
apis/idp/doc.go.tmpl Normal file
View File

@ -0,0 +1,10 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// +k8s:deepcopy-gen=package
// +groupName=idp.pinniped.dev
// Package idp is the internal version of the Pinniped identity provider API.
package idp

6
apis/idp/v1alpha1/conversion.go.tmpl Normal file
View File

@ -0,0 +1,6 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1

14
apis/idp/v1alpha1/defaults.go.tmpl Normal file
View File

@ -0,0 +1,14 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

14
apis/idp/v1alpha1/doc.go.tmpl Normal file
View File

@ -0,0 +1,14 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=github.com/suzerain-io/pinniped/GENERATED_PKG/apis/idp
// +k8s:defaulter-gen=TypeMeta
// +groupName=idp.pinniped.dev
// +groupGoName=IDP
// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
package v1alpha1

45
apis/idp/v1alpha1/register.go.tmpl Normal file
View File

@ -0,0 +1,45 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
const GroupName = "idp.pinniped.dev"
// SchemeGroupVersion is group version used to register these objects.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
}
// Adds the list of known types to the given scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&WebhookIdentityProvider{},
&WebhookIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
// Resource takes an unqualified resource and returns a Group qualified GroupResource.
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}

77
apis/idp/v1alpha1/types_meta.go.tmpl Normal file
View File

@ -0,0 +1,77 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ConditionStatus is effectively an enum type for Condition.Status.
type ConditionStatus string
// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
// can't decide if a resource is in the condition or not. In the future, we could add other
// intermediate conditions, e.g. ConditionDegraded.
const (
ConditionTrue ConditionStatus = "True"
ConditionFalse ConditionStatus = "False"
ConditionUnknown ConditionStatus = "Unknown"
)
// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
// version we can switch to using the upstream type.
// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message"`
}

13
apis/idp/v1alpha1/types_tls.go.tmpl Normal file
View File

@ -0,0 +1,13 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
// Configuration for configuring TLS on various identity providers.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}

55
apis/idp/v1alpha1/types_webhook.go.tmpl Normal file
View File

@ -0,0 +1,55 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// Status of a webhook identity provider.
type WebhookIdentityProviderStatus struct {
// Represents the observations of an identity provider's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// Spec for configuring a webhook identity provider.
type WebhookIdentityProviderSpec struct {
// Webhook server endpoint URL.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://`
Endpoint string `json:"endpoint"`
// TLS configuration.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
type WebhookIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec WebhookIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status WebhookIdentityProviderStatus `json:"status,omitempty"`
}
// List of WebhookIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WebhookIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []WebhookIdentityProvider `json:"items"`
}

27
apis/pinniped/v1alpha1/types.go.tmpl
View File

@ -13,19 +13,23 @@ const (
TokenCredentialType = CredentialType("token")
)
// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.
type CredentialRequestTokenCredential struct {
// Value of the bearer token supplied with the credential request.
Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"`
Value string `json:"value,omitempty"`
}
// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API
type CredentialRequestSpec struct {
// Type of credential.
Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"`
Type CredentialType `json:"type,omitempty"`
// Token credential (when Type == TokenCredentialType).
Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"`
Token *CredentialRequestTokenCredential `json:"token,omitempty"`
}
// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It
// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
type CredentialRequestCredential struct {
// ExpirationTimestamp indicates a time when the provided credentials expire.
ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
@ -40,6 +44,7 @@ type CredentialRequestCredential struct {
ClientKeyData string `json:"clientKeyData,omitempty"`
}
// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.
type CredentialRequestStatus struct {
// A Credential will be returned for a successful credential request.
// +optional
@ -50,25 +55,25 @@ type CredentialRequestStatus struct {
Message *string `json:"message,omitempty"`
}
// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type CredentialRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
Spec CredentialRequestSpec `json:"spec,omitempty"`
Status CredentialRequestStatus `json:"status,omitempty"`
}
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CredentialRequestList is a list of CredentialRequest objects.
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type CredentialRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
Items []CredentialRequest `json:"items"`
}

126
cmd/pinniped/cmd/exchange_credential.go Normal file
View File

@ -0,0 +1,126 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package cmd
import (
"context"
"encoding/json"
"fmt"
"io"
"os"
"time"
"github.com/spf13/cobra"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"github.com/suzerain-io/pinniped/internal/client"
"github.com/suzerain-io/pinniped/internal/constable"
"github.com/suzerain-io/pinniped/internal/here"
)
//nolint: gochecknoinits
func init() {
rootCmd.AddCommand(newExchangeCredentialCmd(os.Args, os.Stdout, os.Stderr).cmd)
}
type exchangeCredentialCommand struct {
// runFunc is called by the cobra.Command.Run hook. It is included here for
// testability.
runFunc func(stdout, stderr io.Writer)
// cmd is the cobra.Command for this CLI command. It is included here for
// testability.
cmd *cobra.Command
}
func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchangeCredentialCommand {
c := &exchangeCredentialCommand{
runFunc: runExchangeCredential,
}
c.cmd = &cobra.Command{
Run: func(cmd *cobra.Command, _ []string) {
c.runFunc(stdout, stderr)
},
Args: cobra.NoArgs, // do not accept positional arguments for this command
Use: "exchange-credential",
Short: "Exchange a credential for a cluster-specific access credential",
Long: here.Doc(`
Exchange a credential which proves your identity for a time-limited,
cluster-specific access credential.
Designed to be conveniently used as an credential plugin for kubectl.
See the help message for 'pinniped get-kubeconfig' for more
information about setting up a kubeconfig file using Pinniped.
Requires all of the following environment variables, which are
typically set in the kubeconfig:
- PINNIPED_TOKEN: the token to send to Pinniped for exchange
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
Pinniped's HTTPS endpoint
- PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential
exchange API
For more information about credential plugins in general, see
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
`),
}
c.cmd.SetArgs(args)
c.cmd.SetOut(stdout)
c.cmd.SetErr(stderr)
return c
}
type envGetter func(string) (string, bool)
type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error)
const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set")
func runExchangeCredential(stdout, _ io.Writer) {
err := exchangeCredential(os.LookupEnv, client.ExchangeToken, stdout, 30*time.Second)
if err != nil {
_, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error())
os.Exit(1)
}
}
func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outputWriter io.Writer, timeout time.Duration) error {
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
token, varExists := envGetter("PINNIPED_TOKEN")
if !varExists {
return envVarNotSetError("PINNIPED_TOKEN")
}
caBundle, varExists := envGetter("PINNIPED_CA_BUNDLE")
if !varExists {
return envVarNotSetError("PINNIPED_CA_BUNDLE")
}
apiEndpoint, varExists := envGetter("PINNIPED_K8S_API_ENDPOINT")
if !varExists {
return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT")
}
cred, err := tokenExchanger(ctx, token, caBundle, apiEndpoint)
if err != nil {
return fmt.Errorf("failed to get credential: %w", err)
}
err = json.NewEncoder(outputWriter).Encode(cred)
if err != nil {
return fmt.Errorf("failed to marshal response to stdout: %w", err)
}
return nil
}
func envVarNotSetError(varName string) error {
return fmt.Errorf("%w: %s", ErrMissingEnvVar, varName)
}

117
cmd/pinniped/main_test.go → cmd/pinniped/cmd/exchange_credential_test.go
View File

@ -3,12 +3,13 @@ Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package main
package cmd
import (
"bytes"
"context"
"fmt"
"io"
"testing"
"time"
@ -18,11 +19,107 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"github.com/suzerain-io/pinniped/internal/here"
"github.com/suzerain-io/pinniped/internal/testutil"
)
func TestRun(t *testing.T) {
spec.Run(t, "main.run", func(t *testing.T, when spec.G, it spec.S) {
var (
knownGoodUsageForExchangeCredential = here.Doc(`
Usage:
exchange-credential [flags]
Flags:
-h, --help help for exchange-credential
`)
knownGoodHelpForExchangeCredential = here.Doc(`
Exchange a credential which proves your identity for a time-limited,
cluster-specific access credential.
Designed to be conveniently used as an credential plugin for kubectl.
See the help message for 'pinniped get-kubeconfig' for more
information about setting up a kubeconfig file using Pinniped.
Requires all of the following environment variables, which are
typically set in the kubeconfig:
- PINNIPED_TOKEN: the token to send to Pinniped for exchange
- PINNIPED_CA_BUNDLE: the CA bundle to trust when calling
Pinniped's HTTPS endpoint
- PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential
exchange API
For more information about credential plugins in general, see
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
Usage:
exchange-credential [flags]
Flags:
-h, --help help for exchange-credential
`)
)
func TestNewCredentialExchangeCmd(t *testing.T) {
spec.Run(t, "newCredentialExchangeCmd", func(t *testing.T, when spec.G, it spec.S) {
var r *require.Assertions
var stdout, stderr *bytes.Buffer
it.Before(func() {
r = require.New(t)
stdout, stderr = bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{})
})
it("calls runFunc and does not print usage or help when correct arguments and flags are used", func() {
c := newExchangeCredentialCmd([]string{}, stdout, stderr)
runFuncCalled := false
c.runFunc = func(out, err io.Writer) {
runFuncCalled = true
}
r.NoError(c.cmd.Execute())
r.True(runFuncCalled)
r.Empty(stdout.String())
r.Empty(stderr.String())
})
it("fails when args are passed", func() {
c := newExchangeCredentialCmd([]string{"some-arg"}, stdout, stderr)
runFuncCalled := false
c.runFunc = func(out, err io.Writer) {
runFuncCalled = true
}
errorMessage := `unknown command "some-arg" for "exchange-credential"`
r.EqualError(c.cmd.Execute(), errorMessage)
r.False(runFuncCalled)
output := "Error: " + errorMessage + "\n" + knownGoodUsageForExchangeCredential
r.Equal(output, stdout.String())
r.Empty(stderr.String())
})
it("prints a nice help message", func() {
c := newExchangeCredentialCmd([]string{"--help"}, stdout, stderr)
runFuncCalled := false
c.runFunc = func(out, err io.Writer) {
runFuncCalled = true
}
r.NoError(c.cmd.Execute())
r.False(runFuncCalled)
r.Equal(knownGoodHelpForExchangeCredential, stdout.String())
r.Empty(stderr.String())
})
}, spec.Parallel(), spec.Report(report.Terminal{}))
}
func TestExchangeCredential(t *testing.T) {
spec.Run(t, "cmd.exchangeCredential", func(t *testing.T, when spec.G, it spec.S) {
var r *require.Assertions
var buffer *bytes.Buffer
var tokenExchanger tokenExchanger
@ -49,19 +146,19 @@ func TestRun(t *testing.T) {
when("env vars are missing", func() {
it("returns an error when PINNIPED_TOKEN is missing", func() {
delete(fakeEnv, "PINNIPED_TOKEN")
err := run(envGetter, tokenExchanger, buffer, 30*time.Second)
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_TOKEN")
})
it("returns an error when PINNIPED_CA_BUNDLE is missing", func() {
delete(fakeEnv, "PINNIPED_CA_BUNDLE")
err := run(envGetter, tokenExchanger, buffer, 30*time.Second)
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_CA_BUNDLE")
})
it("returns an error when PINNIPED_K8S_API_ENDPOINT is missing", func() {
delete(fakeEnv, "PINNIPED_K8S_API_ENDPOINT")
err := run(envGetter, tokenExchanger, buffer, 30*time.Second)
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_K8S_API_ENDPOINT")
})
})
@ -74,7 +171,7 @@ func TestRun(t *testing.T) {
})
it("returns an error", func() {
err := run(envGetter, tokenExchanger, buffer, 30*time.Second)
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
r.EqualError(err, "failed to get credential: some error")
})
})
@ -91,7 +188,7 @@ func TestRun(t *testing.T) {
})
it("returns an error", func() {
err := run(envGetter, tokenExchanger, &testutil.ErrorWriter{ReturnError: fmt.Errorf("some IO error")}, 30*time.Second)
err := exchangeCredential(envGetter, tokenExchanger, &testutil.ErrorWriter{ReturnError: fmt.Errorf("some IO error")}, 30*time.Second)
r.EqualError(err, "failed to marshal response to stdout: some IO error")
})
})
@ -113,7 +210,7 @@ func TestRun(t *testing.T) {
})
it("returns an error", func() {
err := run(envGetter, tokenExchanger, buffer, 1*time.Millisecond)
err := exchangeCredential(envGetter, tokenExchanger, buffer, 1*time.Millisecond)
r.EqualError(err, "failed to get credential: context deadline exceeded")
})
})
@ -141,7 +238,7 @@ func TestRun(t *testing.T) {
})
it("writes the execCredential to the given writer", func() {
err := run(envGetter, tokenExchanger, buffer, 30*time.Second)
err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second)
r.NoError(err)
r.Equal(fakeEnv["PINNIPED_TOKEN"], actualToken)
r.Equal(fakeEnv["PINNIPED_CA_BUNDLE"], actualCaBundle)

347
cmd/pinniped/cmd/get_kubeconfig.go Normal file
View File

@ -0,0 +1,347 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package cmd
import (
"bytes"
"context"
"encoding/base64"
"fmt"
"io"
"os"
"time"
"github.com/ghodss/yaml"
"github.com/spf13/cobra"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
v1 "k8s.io/client-go/tools/clientcmd/api/v1"
"github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1"
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
"github.com/suzerain-io/pinniped/internal/constable"
"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
"github.com/suzerain-io/pinniped/internal/here"
)
const (
getKubeConfigCmdTokenFlagName = "token"
getKubeConfigCmdKubeconfigFlagName = "kubeconfig"
getKubeConfigCmdKubeconfigContextFlagName = "kubeconfig-context"
getKubeConfigCmdPinnipedNamespaceFlagName = "pinniped-namespace"
)
//nolint: gochecknoinits
func init() {
rootCmd.AddCommand(newGetKubeConfigCmd(os.Args, os.Stdout, os.Stderr).cmd)
}
type getKubeConfigCommand struct {
// runFunc is called by the cobra.Command.Run hook. It is included here for
// testability.
runFunc func(
stdout, stderr io.Writer,
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
)
// cmd is the cobra.Command for this CLI command. It is included here for
// testability.
cmd *cobra.Command
}
func newGetKubeConfigCmd(args []string, stdout, stderr io.Writer) *getKubeConfigCommand {
c := &getKubeConfigCommand{
runFunc: runGetKubeConfig,
}
c.cmd = &cobra.Command{
Run: func(cmd *cobra.Command, _ []string) {
token := cmd.Flag(getKubeConfigCmdTokenFlagName).Value.String()
kubeconfigPathOverride := cmd.Flag(getKubeConfigCmdKubeconfigFlagName).Value.String()
currentContextOverride := cmd.Flag(getKubeConfigCmdKubeconfigContextFlagName).Value.String()
pinnipedInstallationNamespace := cmd.Flag(getKubeConfigCmdPinnipedNamespaceFlagName).Value.String()
c.runFunc(
stdout,
stderr,
token,
kubeconfigPathOverride,
currentContextOverride,
pinnipedInstallationNamespace,
)
},
Args: cobra.NoArgs, // do not accept positional arguments for this command
Use: "get-kubeconfig",
Short: "Print a kubeconfig for authenticating into a cluster via Pinniped",
Long: here.Doc(`
Print a kubeconfig for authenticating into a cluster via Pinniped.
Requires admin-like access to the cluster using the current
kubeconfig context in order to access Pinniped's metadata.
The current kubeconfig is found similar to how kubectl finds it:
using the value of the --kubeconfig option, or if that is not
specified then from the value of the KUBECONFIG environment
variable, or if that is not specified then it defaults to
.kube/config in your home directory.
Prints a kubeconfig which is suitable to access the cluster using
Pinniped as the authentication mechanism. This kubeconfig output
can be saved to a file and used with future kubectl commands, e.g.:
pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig
kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods
`),
}
c.cmd.SetArgs(args)
c.cmd.SetOut(stdout)
c.cmd.SetErr(stderr)
c.cmd.Flags().StringP(
getKubeConfigCmdTokenFlagName,
"",
"",
"Credential to include in the resulting kubeconfig output (Required)",
)
err := c.cmd.MarkFlagRequired(getKubeConfigCmdTokenFlagName)
if err != nil {
panic(err)
}
c.cmd.Flags().StringP(
getKubeConfigCmdKubeconfigFlagName,
"",
"",
"Path to the kubeconfig file",
)
c.cmd.Flags().StringP(
getKubeConfigCmdKubeconfigContextFlagName,
"",
"",
"Kubeconfig context override",
)
c.cmd.Flags().StringP(
getKubeConfigCmdPinnipedNamespaceFlagName,
"",
"pinniped",
"Namespace in which Pinniped was installed",
)
return c
}
func runGetKubeConfig(
stdout, stderr io.Writer,
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
) {
err := getKubeConfig(
stdout,
stderr,
token,
kubeconfigPathOverride,
currentContextOverride,
pinnipedInstallationNamespace,
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
return pinnipedclientset.NewForConfig(restConfig)
},
)
if err != nil {
_, _ = fmt.Fprintf(os.Stderr, "error: %s\n", err.Error())
os.Exit(1)
}
}
func getKubeConfig(
outputWriter io.Writer,
warningsWriter io.Writer,
token string,
kubeconfigPathOverride string,
currentContextNameOverride string,
pinnipedInstallationNamespace string,
kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error),
) error {
if token == "" {
return constable.Error("--" + getKubeConfigCmdTokenFlagName + " flag value cannot be empty")
}
fullPathToSelf, err := os.Executable()
if err != nil {
return fmt.Errorf("could not find path to self: %w", err)
}
clientConfig := newClientConfig(kubeconfigPathOverride, currentContextNameOverride)
currentKubeConfig, err := clientConfig.RawConfig()
if err != nil {
return err
}
credentialIssuerConfig, err := fetchPinnipedCredentialIssuerConfig(clientConfig, kubeClientCreator, pinnipedInstallationNamespace)
if err != nil {
return err
}
if credentialIssuerConfig.Status.KubeConfigInfo == nil {
return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`)
}
v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(currentKubeConfig, currentContextNameOverride)
if err != nil {
return err
}
err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, warningsWriter)
if err != nil {
return err
}
config := newPinnipedKubeconfig(v1Cluster, fullPathToSelf, token)
err = writeConfigAsYAML(outputWriter, config)
if err != nil {
return err
}
return nil
}
func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, warningsWriter io.Writer) error {
credentialIssuerConfigCA, err := base64.StdEncoding.DecodeString(credentialIssuerConfig.Status.KubeConfigInfo.CertificateAuthorityData)
if err != nil {
return err
}
if v1Cluster.Server != credentialIssuerConfig.Status.KubeConfigInfo.Server ||
!bytes.Equal(v1Cluster.CertificateAuthorityData, credentialIssuerConfigCA) {
_, err := warningsWriter.Write([]byte("WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n"))
if err != nil {
return fmt.Errorf("output write error: %w", err)
}
}
return nil
}
func fetchPinnipedCredentialIssuerConfig(clientConfig clientcmd.ClientConfig, kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error), pinnipedInstallationNamespace string) (*v1alpha1.CredentialIssuerConfig, error) {
restConfig, err := clientConfig.ClientConfig()
if err != nil {
return nil, err
}
clientset, err := kubeClientCreator(restConfig)
if err != nil {
return nil, err
}
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20)
defer cancelFunc()
credentialIssuerConfig, err := clientset.CrdV1alpha1().CredentialIssuerConfigs(pinnipedInstallationNamespace).Get(ctx, issuerconfig.ConfigName, metav1.GetOptions{})
if err != nil {
if apierrors.IsNotFound(err) {
return nil, constable.Error(fmt.Sprintf(
`CredentialIssuerConfig "%s" was not found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`,
issuerconfig.ConfigName,
pinnipedInstallationNamespace,
pinnipedInstallationNamespace,
))
}
return nil, err
}
return credentialIssuerConfig, nil
}
func newClientConfig(kubeconfigPathOverride string, currentContextName string) clientcmd.ClientConfig {
loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
loadingRules.ExplicitPath = kubeconfigPathOverride
clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{
CurrentContext: currentContextName,
})
return clientConfig
}
func writeConfigAsYAML(outputWriter io.Writer, config v1.Config) error {
output, err := yaml.Marshal(&config)
if err != nil {
return fmt.Errorf("YAML serialization error: %w", err)
}
_, err = outputWriter.Write(output)
if err != nil {
return fmt.Errorf("output write error: %w", err)
}
return nil
}
func copyCurrentClusterFromExistingKubeConfig(currentKubeConfig clientcmdapi.Config, currentContextNameOverride string) (v1.Cluster, error) {
v1Cluster := v1.Cluster{}
contextName := currentKubeConfig.CurrentContext
if currentContextNameOverride != "" {
contextName = currentContextNameOverride
}
err := v1.Convert_api_Cluster_To_v1_Cluster(
currentKubeConfig.Clusters[currentKubeConfig.Contexts[contextName].Cluster],
&v1Cluster,
nil,
)
if err != nil {
return v1.Cluster{}, err
}
return v1Cluster, nil
}
func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token string) v1.Config {
clusterName := "pinniped-cluster"
userName := "pinniped-user"
return v1.Config{
Kind: "Config",
APIVersion: v1.SchemeGroupVersion.Version,
Preferences: v1.Preferences{},
Clusters: []v1.NamedCluster{
{
Name: clusterName,
Cluster: v1Cluster,
},
},
Contexts: []v1.NamedContext{
{
Name: clusterName,
Context: v1.Context{
Cluster: clusterName,
AuthInfo: userName,
},
},
},
AuthInfos: []v1.NamedAuthInfo{
{
Name: userName,
AuthInfo: v1.AuthInfo{
Exec: &v1.ExecConfig{
Command: fullPathToSelf,
Args: []string{"exchange-credential"},
Env: []v1.ExecEnvVar{
{Name: "PINNIPED_K8S_API_ENDPOINT", Value: v1Cluster.Server},
{Name: "PINNIPED_CA_BUNDLE", Value: string(v1Cluster.CertificateAuthorityData)},
{Name: "PINNIPED_TOKEN", Value: token},
},
APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(),
InstallHint: "The Pinniped CLI is required to authenticate to the current cluster.\n" +
"For more information, please visit https://pinniped.dev",
},
},
},
},
CurrentContext: clusterName,
}
}

642
cmd/pinniped/cmd/get_kubeconfig_test.go Normal file
View File

@ -0,0 +1,642 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package cmd
import (
"bytes"
"encoding/base64"
"fmt"
"io"
"os"
"testing"
"github.com/sclevine/spec"
"github.com/sclevine/spec/report"
"github.com/stretchr/testify/require"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/rest"
crdpinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1"
pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake"
"github.com/suzerain-io/pinniped/internal/here"
)
var (
knownGoodUsageForGetKubeConfig = here.Doc(`
Usage:
get-kubeconfig [flags]
Flags:
-h, --help help for get-kubeconfig
--kubeconfig string Path to the kubeconfig file
--kubeconfig-context string Kubeconfig context override
--pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped")
--token string Credential to include in the resulting kubeconfig output (Required)
`)
knownGoodHelpForGetKubeConfig = here.Doc(`
Print a kubeconfig for authenticating into a cluster via Pinniped.
Requires admin-like access to the cluster using the current
kubeconfig context in order to access Pinniped's metadata.
The current kubeconfig is found similar to how kubectl finds it:
using the value of the --kubeconfig option, or if that is not
specified then from the value of the KUBECONFIG environment
variable, or if that is not specified then it defaults to
.kube/config in your home directory.
Prints a kubeconfig which is suitable to access the cluster using
Pinniped as the authentication mechanism. This kubeconfig output
can be saved to a file and used with future kubectl commands, e.g.:
pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig
kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods
Usage:
get-kubeconfig [flags]
Flags:
-h, --help help for get-kubeconfig
--kubeconfig string Path to the kubeconfig file
--kubeconfig-context string Kubeconfig context override
--pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped")
--token string Credential to include in the resulting kubeconfig output (Required)
`)
)
func TestNewGetKubeConfigCmd(t *testing.T) {
spec.Run(t, "newGetKubeConfigCmd", func(t *testing.T, when spec.G, it spec.S) {
var r *require.Assertions
var stdout, stderr *bytes.Buffer
it.Before(func() {
r = require.New(t)
stdout, stderr = bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{})
})
it("passes all flags to runFunc", func() {
args := []string{
"--token", "some-token",
"--kubeconfig", "some-kubeconfig",
"--kubeconfig-context", "some-kubeconfig-context",
"--pinniped-namespace", "some-pinniped-namespace",
}
c := newGetKubeConfigCmd(args, stdout, stderr)
runFuncCalled := false
c.runFunc = func(
out, err io.Writer,
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
) {
runFuncCalled = true
r.Equal("some-token", token)
r.Equal("some-kubeconfig", kubeconfigPathOverride)
r.Equal("some-kubeconfig-context", currentContextOverride)
r.Equal("some-pinniped-namespace", pinnipedInstallationNamespace)
}
r.NoError(c.cmd.Execute())
r.True(runFuncCalled)
r.Empty(stdout.String())
r.Empty(stderr.String())
})
it("requires the 'token' flag", func() {
args := []string{
"--kubeconfig", "some-kubeconfig",
"--kubeconfig-context", "some-kubeconfig-context",
"--pinniped-namespace", "some-pinniped-namespace",
}
c := newGetKubeConfigCmd(args, stdout, stderr)
runFuncCalled := false
c.runFunc = func(
out, err io.Writer,
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
) {
runFuncCalled = true
}
errorMessage := `required flag(s) "token" not set`
r.EqualError(c.cmd.Execute(), errorMessage)
r.False(runFuncCalled)
output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig
r.Equal(output, stdout.String())
r.Empty(stderr.String())
})
it("defaults the flags correctly", func() {
args := []string{
"--token", "some-token",
}
c := newGetKubeConfigCmd(args, stdout, stderr)
runFuncCalled := false
c.runFunc = func(
out, err io.Writer,
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
) {
runFuncCalled = true
r.Equal("some-token", token)
r.Equal("", kubeconfigPathOverride)
r.Equal("", currentContextOverride)
r.Equal("pinniped", pinnipedInstallationNamespace)
}
r.NoError(c.cmd.Execute())
r.True(runFuncCalled)
r.Empty(stdout.String())
r.Empty(stderr.String())
})
it("fails when args are passed", func() {
args := []string{
"--token", "some-token",
"some-arg",
}
c := newGetKubeConfigCmd(args, stdout, stderr)
runFuncCalled := false
c.runFunc = func(
out, err io.Writer,
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
) {
runFuncCalled = true
}
errorMessage := `unknown command "some-arg" for "get-kubeconfig"`
r.EqualError(c.cmd.Execute(), errorMessage)
r.False(runFuncCalled)
output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig
r.Equal(output, stdout.String())
r.Empty(stderr.String())
})
it("prints a nice help message", func() {
args := []string{
"--help",
}
c := newGetKubeConfigCmd(args, stdout, stderr)
runFuncCalled := false
c.runFunc = func(
out, err io.Writer,
token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string,
) {
runFuncCalled = true
}
r.NoError(c.cmd.Execute())
r.False(runFuncCalled)
r.Equal(knownGoodHelpForGetKubeConfig, stdout.String())
r.Empty(stderr.String())
})
}, spec.Parallel(), spec.Report(report.Terminal{}))
}
//nolint: unparam
func expectedKubeconfigYAML(clusterCAData, clusterServer, command, token, pinnipedEndpoint, pinnipedCABundle string) string {
return here.Docf(`
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: %s
server: %s
name: pinniped-cluster
contexts:
- context:
cluster: pinniped-cluster
user: pinniped-user
name: pinniped-cluster
current-context: pinniped-cluster
kind: Config
preferences: {}
users:
- name: pinniped-user
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- exchange-credential
command: %s
env:
- name: PINNIPED_K8S_API_ENDPOINT
value: %s
- name: PINNIPED_CA_BUNDLE
value: %s
- name: PINNIPED_TOKEN
value: %s
installHint: |-
The Pinniped CLI is required to authenticate to the current cluster.
For more information, please visit https://pinniped.dev
`, clusterCAData, clusterServer, command, pinnipedEndpoint, pinnipedCABundle, token)
}
func newCredentialIssuerConfig(server, certificateAuthorityData string) *crdpinnipedv1alpha1.CredentialIssuerConfig {
return &crdpinnipedv1alpha1.CredentialIssuerConfig{
TypeMeta: metav1.TypeMeta{
Kind: "CredentialIssuerConfig",
APIVersion: crdpinnipedv1alpha1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-config",
Namespace: "some-namespace",
},
Status: crdpinnipedv1alpha1.CredentialIssuerConfigStatus{
KubeConfigInfo: &crdpinnipedv1alpha1.CredentialIssuerConfigKubeConfigInfo{
Server: server,
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(certificateAuthorityData)),
},
},
}
}
func TestGetKubeConfig(t *testing.T) {
spec.Run(t, "cmd.getKubeConfig", func(t *testing.T, when spec.G, it spec.S) {
var r *require.Assertions
var outputBuffer *bytes.Buffer
var warningsBuffer *bytes.Buffer
var fullPathToSelf string
var pinnipedClient *pinnipedfake.Clientset
it.Before(func() {
r = require.New(t)
outputBuffer = new(bytes.Buffer)
warningsBuffer = new(bytes.Buffer)
var err error
fullPathToSelf, err = os.Executable()
r.NoError(err)
pinnipedClient = pinnipedfake.NewSimpleClientset()
})
when("the CredentialIssuerConfig is found on the cluster with a configuration that matches the existing kubeconfig", func() {
it.Before(func() {
r.NoError(pinnipedClient.Tracker().Add(
newCredentialIssuerConfig("https://fake-server-url-value", "fake-certificate-authority-data-value"),
))
})
it("writes the kubeconfig to the given writer", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://fake-server-url-value", restConfig.Host)
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.NoError(err)
r.True(kubeClientCreatorFuncWasCalled)
r.Empty(warningsBuffer.String())
r.Equal(expectedKubeconfigYAML(
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
"https://fake-server-url-value",
fullPathToSelf,
"some-token",
"https://fake-server-url-value",
"fake-certificate-authority-data-value",
), outputBuffer.String())
})
when("the currentContextOverride is used to specify a context other than the default context", func() {
it.Before(func() {
// update the Server and CertificateAuthorityData to make them match the other kubeconfig context
r.NoError(pinnipedClient.Tracker().Update(
schema.GroupVersionResource{
Group: crdpinnipedv1alpha1.GroupName,
Version: crdpinnipedv1alpha1.SchemeGroupVersion.Version,
Resource: "credentialissuerconfigs",
},
newCredentialIssuerConfig(
"https://some-other-fake-server-url-value",
"some-other-fake-certificate-authority-data-value",
),
"some-namespace",
))
})
when("that context exists", func() {
it("writes the kubeconfig to the given writer using the specified context", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"some-other-context",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://some-other-fake-server-url-value", restConfig.Host)
r.Equal("some-other-fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.NoError(err)
r.True(kubeClientCreatorFuncWasCalled)
r.Empty(warningsBuffer.String())
r.Equal(expectedKubeconfigYAML(
base64.StdEncoding.EncodeToString([]byte("some-other-fake-certificate-authority-data-value")),
"https://some-other-fake-server-url-value",
fullPathToSelf,
"some-token",
"https://some-other-fake-server-url-value",
"some-other-fake-certificate-authority-data-value",
), outputBuffer.String())
})
})
when("that context does not exist the in the current kubeconfig", func() {
it("returns an error", func() {
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"this-context-name-does-not-exist-in-kubeconfig.yaml",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil },
)
r.EqualError(err, `context "this-context-name-does-not-exist-in-kubeconfig.yaml" does not exist`)
r.Empty(warningsBuffer.String())
r.Empty(outputBuffer.String())
})
})
})
when("the token passed in is empty", func() {
it("returns an error", func() {
err := getKubeConfig(outputBuffer,
warningsBuffer,
"",
"./testdata/kubeconfig.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil },
)
r.EqualError(err, "--token flag value cannot be empty")
r.Empty(warningsBuffer.String())
r.Empty(outputBuffer.String())
})
})
when("the kubeconfig path passed refers to a file that does not exist", func() {
it("returns an error", func() {
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/this-file-does-not-exist.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil },
)
r.EqualError(err, "stat ./testdata/this-file-does-not-exist.yaml: no such file or directory")
r.Empty(warningsBuffer.String())
r.Empty(outputBuffer.String())
})
})
when("the kubeconfig path parameter is empty", func() {
it.Before(func() {
// Note that this is technically polluting other parallel tests in this file, but other tests
// are always specifying the kubeconfigPathOverride parameter, so they're not actually looking
// at the value of this environment variable.
r.NoError(os.Setenv("KUBECONFIG", "./testdata/kubeconfig.yaml"))
})
it.After(func() {
r.NoError(os.Unsetenv("KUBECONFIG"))
})
it("falls back to using the KUBECONFIG env var to find the kubeconfig file", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://fake-server-url-value", restConfig.Host)
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.NoError(err)
r.True(kubeClientCreatorFuncWasCalled)
r.Empty(warningsBuffer.String())
r.Equal(expectedKubeconfigYAML(
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
"https://fake-server-url-value",
fullPathToSelf,
"some-token",
"https://fake-server-url-value",
"fake-certificate-authority-data-value",
), outputBuffer.String())
})
})
when("the wrong pinniped namespace is passed in", func() {
it("returns an error", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"",
"this-is-the-wrong-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://fake-server-url-value", restConfig.Host)
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was not found in namespace "this-is-the-wrong-namespace". Is Pinniped installed on this cluster in namespace "this-is-the-wrong-namespace"?`)
r.True(kubeClientCreatorFuncWasCalled)
})
})
})
when("the CredentialIssuerConfig is found on the cluster with a configuration that does not match the existing kubeconfig", func() {
when("the Server doesn't match", func() {
it.Before(func() {
r.NoError(pinnipedClient.Tracker().Add(
newCredentialIssuerConfig("non-matching-pinniped-server-url", "fake-certificate-authority-data-value"),
))
})
it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://fake-server-url-value", restConfig.Host)
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.NoError(err)
r.True(kubeClientCreatorFuncWasCalled)
r.Equal(
"WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n",
warningsBuffer.String(),
)
r.Equal(expectedKubeconfigYAML(
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
"https://fake-server-url-value",
fullPathToSelf,
"some-token",
"https://fake-server-url-value",
"fake-certificate-authority-data-value",
), outputBuffer.String())
})
})
when("the CA doesn't match", func() {
it.Before(func() {
r.NoError(pinnipedClient.Tracker().Add(
newCredentialIssuerConfig("https://fake-server-url-value", "non-matching-certificate-authority-data-value"),
))
})
it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://fake-server-url-value", restConfig.Host)
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.NoError(err)
r.True(kubeClientCreatorFuncWasCalled)
r.Equal(
"WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n",
warningsBuffer.String(),
)
r.Equal(expectedKubeconfigYAML(
base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")),
"https://fake-server-url-value",
fullPathToSelf,
"some-token",
"https://fake-server-url-value",
"fake-certificate-authority-data-value",
), outputBuffer.String())
})
})
})
when("the CredentialIssuerConfig is found on the cluster with an empty KubeConfigInfo", func() {
it.Before(func() {
r.NoError(pinnipedClient.Tracker().Add(
&crdpinnipedv1alpha1.CredentialIssuerConfig{
TypeMeta: metav1.TypeMeta{
Kind: "CredentialIssuerConfig",
APIVersion: crdpinnipedv1alpha1.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-config",
Namespace: "some-namespace",
},
Status: crdpinnipedv1alpha1.CredentialIssuerConfigStatus{},
},
))
})
it("returns an error", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://fake-server-url-value", restConfig.Host)
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.True(kubeClientCreatorFuncWasCalled)
r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`)
r.Empty(warningsBuffer.String())
r.Empty(outputBuffer.String())
})
})
when("the CredentialIssuerConfig does not exist on the cluster", func() {
it("returns an error", func() {
kubeClientCreatorFuncWasCalled := false
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
kubeClientCreatorFuncWasCalled = true
r.Equal("https://fake-server-url-value", restConfig.Host)
r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData))
return pinnipedClient, nil
},
)
r.True(kubeClientCreatorFuncWasCalled)
r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was not found in namespace "some-namespace". Is Pinniped installed on this cluster in namespace "some-namespace"?`)
r.Empty(warningsBuffer.String())
r.Empty(outputBuffer.String())
})
})
when("there is an error while getting the CredentialIssuerConfig from the cluster", func() {
it("returns an error", func() {
err := getKubeConfig(outputBuffer,
warningsBuffer,
"some-token",
"./testdata/kubeconfig.yaml",
"",
"some-namespace",
func(restConfig *rest.Config) (pinnipedclientset.Interface, error) {
return nil, fmt.Errorf("some error getting CredentialIssuerConfig")
},
)
r.EqualError(err, "some error getting CredentialIssuerConfig")
r.Empty(warningsBuffer.String())
r.Empty(outputBuffer.String())
})
})
}, spec.Parallel(), spec.Report(report.Terminal{}))
}

30
cmd/pinniped/cmd/root.go Normal file
View File

@ -0,0 +1,30 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package cmd
import (
"fmt"
"os"
"github.com/spf13/cobra"
)
//nolint: gochecknoglobals
var rootCmd = &cobra.Command{
Use: "pinniped",
Short: "pinniped",
Long: "pinniped is the client-side binary for use with Pinniped-enabled Kubernetes clusters.",
SilenceUsage: true, // do not print usage message when commands fail
}
// Execute adds all child commands to the root command and sets flags appropriately.
// This is called by main.main(). It only needs to happen once to the rootCmd.
func Execute() {
if err := rootCmd.Execute(); err != nil {
fmt.Println(err)
os.Exit(1)
}
}

31
cmd/pinniped/cmd/testdata/kubeconfig.yaml vendored Normal file
View File

@ -0,0 +1,31 @@
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== # fake-certificate-authority-data-value
server: https://fake-server-url-value
name: kind-kind
- cluster:
certificate-authority-data: c29tZS1vdGhlci1mYWtlLWNlcnRpZmljYXRlLWF1dGhvcml0eS1kYXRhLXZhbHVl # some-other-fake-certificate-authority-data-value
server: https://some-other-fake-server-url-value
name: some-other-cluster
contexts:
- context:
cluster: kind-kind
user: kind-kind
name: kind-kind
- context:
cluster: some-other-cluster
user: some-other-user
name: some-other-context
current-context: kind-kind
kind: Config
preferences: {}
users:
- name: kind-kind
user:
client-certificate-data: ZmFrZS1jbGllbnQtY2VydGlmaWNhdGUtZGF0YS12YWx1ZQ== # fake-client-certificate-data-value
client-key-data: ZmFrZS1jbGllbnQta2V5LWRhdGEtdmFsdWU= # fake-client-key-data-value
- name: some-other-user
user:
client-certificate-data: c29tZS1vdGhlci1mYWtlLWNsaWVudC1jZXJ0aWZpY2F0ZS1kYXRhLXZhbHVl # some-other-fake-client-certificate-data-value
client-key-data: c29tZS1vdGhlci1mYWtlLWNsaWVudC1rZXktZGF0YS12YWx1ZQ== # some-other-fake-client-key-data-value

61
cmd/pinniped/main.go
View File

@ -5,65 +5,8 @@ SPDX-License-Identifier: Apache-2.0
package main
import (
"context"
"encoding/json"
"fmt"
"io"
"os"
"time"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"github.com/suzerain-io/pinniped/internal/client"
"github.com/suzerain-io/pinniped/internal/constable"
)
import "github.com/suzerain-io/pinniped/cmd/pinniped/cmd"
func main() {
err := run(os.LookupEnv, client.ExchangeToken, os.Stdout, 30*time.Second)
if err != nil {
_, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error())
os.Exit(1)
}
}
type envGetter func(string) (string, bool)
type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error)
const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set")
func run(envGetter envGetter, tokenExchanger tokenExchanger, outputWriter io.Writer, timeout time.Duration) error {
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
token, varExists := envGetter("PINNIPED_TOKEN")
if !varExists {
return envVarNotSetError("PINNIPED_TOKEN")
}
caBundle, varExists := envGetter("PINNIPED_CA_BUNDLE")
if !varExists {
return envVarNotSetError("PINNIPED_CA_BUNDLE")
}
apiEndpoint, varExists := envGetter("PINNIPED_K8S_API_ENDPOINT")
if !varExists {
return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT")
}
cred, err := tokenExchanger(ctx, token, caBundle, apiEndpoint)
if err != nil {
return fmt.Errorf("failed to get credential: %w", err)
}
err = json.NewEncoder(outputWriter).Encode(cred)
if err != nil {
return fmt.Errorf("failed to marshal response to stdout: %w", err)
}
return nil
}
func envVarNotSetError(varName string) error {
return fmt.Errorf("%w: %s", ErrMissingEnvVar, varName)
cmd.Execute()
}

5
deploy-local-user-authenticator/README.md
View File

@ -14,8 +14,9 @@ User accounts can be created and edited dynamically using `kubectl` commands (se
## Tools
This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files.
Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files
and to deploy the app.
Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
As well, this demo requires a tool capable of generating a `bcrypt` hash in order to interact with
the webhook. The example below uses `htpasswd`, which is installed on most macOS systems, and can be

5
deploy/README.md
View File

@ -9,8 +9,9 @@ for details.
## Tools
This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files.
Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files
and to deploy the app.
Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
## Procedure

0
deploy/crd.yaml → deploy/crd.pinniped.dev_credentialissuerconfigs.yaml
View File

3
deploy/deployment.yaml
View File

@ -29,9 +29,6 @@ data:
pinniped.yaml: |
discovery:
url: (@= data.values.discovery_url or "null" @)
webhook:
url: (@= data.values.webhook_url @)
caBundle: (@= data.values.webhook_ca_bundle @)
api:
servingCertificate:
durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)

149
deploy/idp.pinniped.dev_webhookidentityproviders.yaml Normal file
View File

@ -0,0 +1,149 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: webhookidentityproviders.idp.pinniped.dev
spec:
group: idp.pinniped.dev
names:
categories:
- all
- idp
- idps
kind: WebhookIdentityProvider
listKind: WebhookIdentityProviderList
plural: webhookidentityproviders
shortNames:
- webhookidp
- webhookidps
singular: webhookidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: WebhookIdentityProvider describes the configuration of a Pinniped
webhook identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
endpoint:
description: Webhook server endpoint URL.
minLength: 1
pattern: ^https://
type: string
tls:
description: TLS configuration.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
type: object
required:
- endpoint
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Represents the observations of an identity provider's
current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition
type added in Kubernetes 1.19). In a future API version we can
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

4
deploy/rbac.yaml
View File

@ -47,8 +47,8 @@ rules:
- apiGroups: [""]
resources: [secrets]
verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: [crd.pinniped.dev]
resources: [credentialissuerconfigs]
- apiGroups: [crd.pinniped.dev, idp.pinniped.dev]
resources: ["*"]
verbs: [create, get, list, update, watch]
---
kind: RoleBinding

16
deploy/webhook.yaml Normal file
View File

@ -0,0 +1,16 @@
#! Copyright 2020 VMware, Inc.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
apiVersion: idp.pinniped.dev/v1alpha1
kind: WebhookIdentityProvider
metadata:
name: #@ data.values.app_name + "-webhook"
namespace: #@ data.values.namespace
labels:
app: #@ data.values.app_name
spec:
endpoint: #@ data.values.webhook_url
tls:
certificateAuthorityData: #@ data.values.webhook_ca_bundle

115
doc/demo.md Normal file
View File

@ -0,0 +1,115 @@
# Trying Pinniped
## Prerequisites
1. A Kubernetes cluster of a type supported by Pinniped.
Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod
is accessible from Pinniped's pods.
Support for other types of Kubernetes distributions is coming soon.
Don't have a cluster handy? Consider using [kind](https://kind.sigs.k8s.io/) on your local machine.
See below for an example of using kind.
1. A kubeconfig where the current context points to that cluster and has admin-like
privileges on that cluster.
Don't have an identity provider of a type supported by Pinniped handy?
Start by installing `local-user-authenticator` on the same cluster where you would like to try Pinniped
by following the directions in [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md).
See below for an example of deploying this on kind.
## Steps
### General Steps
1. Install Pinniped by following the directions in [deploy/README.md](../deploy/README.md).
1. Download the Pinniped CLI from [Pinniped's github Releases page](https://github.com/suzerain-io/pinniped/releases/latest).
1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get-kubeconfig --help` for more information.
1. Run `kubectl` commands using the generated kubeconfig to authenticate using Pinniped during those commands.
### Specific Example of Deploying on kind Using `local-user-authenticator` as the Identity Provider
1. Install the tools required for the following steps.
- This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files
and to deploy the app.
Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags).
E.g. `brew install k14s/tap/ytt k14s/tap/kapp` on a Mac.
- [Install kind](https://kind.sigs.k8s.io/docs/user/quick-start/), if not already installed. e.g. `brew install kind` on a Mac.
- kind depends on Docker. If not already installed, [install Docker](https://docs.docker.com/get-docker/), e.g. `brew cask install docker` on a Mac.
- This demo requires `kubectl`, which comes with Docker, or can be [installed separately](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
- This demo requires a tool capable of generating a `bcrypt` hash in order to interact with
the webhook. The example below uses `htpasswd`, which is installed on most macOS systems, and can be
installed on some Linux systems via the `apache2-utils` package (e.g., `apt-get install
apache2-utils`).
1. Create a new Kubernetes cluster using `kind create cluster`. Optionally provide a cluster name using the `--name` flag.
kind will automatically update your kubeconfig to point to the new cluster.
1. Clone this repo.
```bash
git clone https://github.com/suzerain-io/pinniped.git /tmp/pinniped --depth 1
```
1. Deploy the `local-user-authenticator` app:
```bash
cd /tmp/pinniped/deploy-local-user-authenticator
ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file -
```
1. Create a test user.
```bash
kubectl create secret generic pinny-the-seal \
--namespace local-user-authenticator \
--from-literal=groups=group1,group2 \
--from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://")
```
1. Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint.
```bash
kubectl get secret api-serving-cert --namespace local-user-authenticator \
-o jsonpath={.data.caCertificate} \
| base64 -d \
| tee /tmp/local-user-authenticator-ca
```
1. Deploy Pinniped.
```bash
cd /tmp/pinniped/deploy
ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file - \
--data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \
--data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca)"
```
1. Download the latest version of the Pinniped CLI binary for your platform
from [Pinniped's github Releases page](https://github.com/suzerain-io/pinniped/releases/latest).
1. Move the Pinniped CLI binary to your preferred directory and add the executable bit,
e.g. `chmod +x /usr/local/bin/pinniped`.
1. Generate a kubeconfig.
```bash
pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig
```
1. Create RBAC rules for the test user to give them permissions to perform actions on the cluster.
For example, grant the test user permission to view all cluster resources.
```bash
kubectl create clusterrolebinding pinny-can-read --clusterrole view --user pinny-the-seal
```
1. Use the generated kubeconfig to issue arbitrary `kubectl` commands as the `pinny-the-seal` user.
```bash
kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped
```

115
generated/1.17/README.adoc generated
View File

@ -6,6 +6,7 @@
.Packages
- xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$]
- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
- xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$]
@ -95,6 +96,110 @@ Status of a credential issuer.
[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
=== idp.pinniped.dev/v1alpha1
Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-condition"]
==== Condition
Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various identity providers.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider"]
==== WebhookIdentityProvider
WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec"]
==== WebhookIdentityProviderSpec
Spec for configuring a webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`endpoint`* __string__ | Webhook server endpoint URL.
| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus"]
==== WebhookIdentityProviderStatus
Status of a webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
|===
[id="{anchor_prefix}-pinniped-dev-v1alpha1"]
=== pinniped.dev/v1alpha1
@ -105,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequest"]
==== CredentialRequest
CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
.Appears In:
****
@ -125,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequestcredential"]
==== CredentialRequestCredential
CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
.Appears In:
****
@ -147,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequestspec"]
==== CredentialRequestSpec
CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API
.Appears In:
****
@ -165,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequeststatus"]
==== CredentialRequestStatus
CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.
.Appears In:
****
@ -183,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequesttokencredential"]
==== CredentialRequestTokenCredential
CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.
.Appears In:
****

10
generated/1.17/apis/idp/doc.go generated Normal file
View File

@ -0,0 +1,10 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// +k8s:deepcopy-gen=package
// +groupName=idp.pinniped.dev
// Package idp is the internal version of the Pinniped identity provider API.
package idp

6
generated/1.17/apis/idp/v1alpha1/conversion.go generated Normal file
View File

@ -0,0 +1,6 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1

14
generated/1.17/apis/idp/v1alpha1/defaults.go generated Normal file
View File

@ -0,0 +1,14 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

14
generated/1.17/apis/idp/v1alpha1/doc.go generated Normal file
View File

@ -0,0 +1,14 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.17/apis/idp
// +k8s:defaulter-gen=TypeMeta
// +groupName=idp.pinniped.dev
// +groupGoName=IDP
// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
package v1alpha1

45
generated/1.17/apis/idp/v1alpha1/register.go generated Normal file
View File

@ -0,0 +1,45 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
const GroupName = "idp.pinniped.dev"
// SchemeGroupVersion is group version used to register these objects.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
}
// Adds the list of known types to the given scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&WebhookIdentityProvider{},
&WebhookIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
// Resource takes an unqualified resource and returns a Group qualified GroupResource.
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}

77
generated/1.17/apis/idp/v1alpha1/types_meta.go generated Normal file
View File

@ -0,0 +1,77 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ConditionStatus is effectively an enum type for Condition.Status.
type ConditionStatus string
// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
// can't decide if a resource is in the condition or not. In the future, we could add other
// intermediate conditions, e.g. ConditionDegraded.
const (
ConditionTrue ConditionStatus = "True"
ConditionFalse ConditionStatus = "False"
ConditionUnknown ConditionStatus = "Unknown"
)
// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
// version we can switch to using the upstream type.
// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message"`
}

13
generated/1.17/apis/idp/v1alpha1/types_tls.go generated Normal file
View File

@ -0,0 +1,13 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
// Configuration for configuring TLS on various identity providers.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}

55
generated/1.17/apis/idp/v1alpha1/types_webhook.go generated Normal file
View File

@ -0,0 +1,55 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// Status of a webhook identity provider.
type WebhookIdentityProviderStatus struct {
// Represents the observations of an identity provider's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// Spec for configuring a webhook identity provider.
type WebhookIdentityProviderSpec struct {
// Webhook server endpoint URL.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://`
Endpoint string `json:"endpoint"`
// TLS configuration.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
type WebhookIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec WebhookIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status WebhookIdentityProviderStatus `json:"status,omitempty"`
}
// List of WebhookIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WebhookIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []WebhookIdentityProvider `json:"items"`
}

24
generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go generated Normal file
View File

@ -0,0 +1,24 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
return nil
}

152
generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go generated Normal file
View File

@ -0,0 +1,152 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Condition) DeepCopyInto(out *Condition) {
*out = *in
in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (in *Condition) DeepCopy() *Condition {
if in == nil {
return nil
}
out := new(Condition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.
func (in *TLSSpec) DeepCopy() *TLSSpec {
if in == nil {
return nil
}
out := new(TLSSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
if in == nil {
return nil
}
out := new(WebhookIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]WebhookIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
if in == nil {
return nil
}
out := new(WebhookIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
*out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
if in == nil {
return nil
}
out := new(WebhookIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
if in == nil {
return nil
}
out := new(WebhookIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}

21
generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go generated Normal file
View File

@ -0,0 +1,21 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}

10
generated/1.17/apis/idp/zz_generated.deepcopy.go generated Normal file
View File

@ -0,0 +1,10 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package idp

27
generated/1.17/apis/pinniped/v1alpha1/types.go generated
View File

@ -13,19 +13,23 @@ const (
TokenCredentialType = CredentialType("token")
)
// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.
type CredentialRequestTokenCredential struct {
// Value of the bearer token supplied with the credential request.
Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"`
Value string `json:"value,omitempty"`
}
// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API
type CredentialRequestSpec struct {
// Type of credential.
Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"`
Type CredentialType `json:"type,omitempty"`
// Token credential (when Type == TokenCredentialType).
Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"`
Token *CredentialRequestTokenCredential `json:"token,omitempty"`
}
// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It
// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
type CredentialRequestCredential struct {
// ExpirationTimestamp indicates a time when the provided credentials expire.
ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
@ -40,6 +44,7 @@ type CredentialRequestCredential struct {
ClientKeyData string `json:"clientKeyData,omitempty"`
}
// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.
type CredentialRequestStatus struct {
// A Credential will be returned for a successful credential request.
// +optional
@ -50,25 +55,25 @@ type CredentialRequestStatus struct {
Message *string `json:"message,omitempty"`
}
// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type CredentialRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
Spec CredentialRequestSpec `json:"spec,omitempty"`
Status CredentialRequestStatus `json:"status,omitempty"`
}
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CredentialRequestList is a list of CredentialRequest objects.
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type CredentialRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
Items []CredentialRequest `json:"items"`
}

14
generated/1.17/client/clientset/versioned/clientset.go generated
View File

@ -11,6 +11,7 @@ import (
"fmt"
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1"
discovery "k8s.io/client-go/discovery"
rest "k8s.io/client-go/rest"
@ -20,6 +21,7 @@ import (
type Interface interface {
Discovery() discovery.DiscoveryInterface
CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface
IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface
}
@ -28,6 +30,7 @@ type Interface interface {
type Clientset struct {
*discovery.DiscoveryClient
crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client
iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client
pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client
}
@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface {
return c.crdV1alpha1
}
// IDPV1alpha1 retrieves the IDPV1alpha1Client
func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
return c.iDPV1alpha1
}
// PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
return c.pinnipedV1alpha1
@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
if err != nil {
return nil, err
}
cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
if err != nil {
return nil, err
}
cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy)
if err != nil {
return nil, err
@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
func NewForConfigOrDie(c *rest.Config) *Clientset {
var cs Clientset
cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c)
cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c)
cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
func New(c rest.Interface) *Clientset {
var cs Clientset
cs.crdV1alpha1 = crdv1alpha1.New(c)
cs.iDPV1alpha1 = idpv1alpha1.New(c)
cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c)
cs.DiscoveryClient = discovery.NewDiscoveryClient(c)

7
generated/1.17/client/clientset/versioned/fake/clientset_generated.go generated
View File

@ -11,6 +11,8 @@ import (
clientset "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned"
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1"
fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1"
fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1/fake"
"k8s.io/apimachinery/pkg/runtime"
@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface {
return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake}
}
// IDPV1alpha1 retrieves the IDPV1alpha1Client
func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
}
// PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake}

2
generated/1.17/client/clientset/versioned/fake/register.go generated
View File

@ -9,6 +9,7 @@ package fake
import (
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme)
var parameterCodec = runtime.NewParameterCodec(scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
crdv1alpha1.AddToScheme,
idpv1alpha1.AddToScheme,
pinnipedv1alpha1.AddToScheme,
}

2
generated/1.17/client/clientset/versioned/scheme/register.go generated
View File

@ -9,6 +9,7 @@ package scheme
import (
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme)
var ParameterCodec = runtime.NewParameterCodec(Scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
crdv1alpha1.AddToScheme,
idpv1alpha1.AddToScheme,
pinnipedv1alpha1.AddToScheme,
}

9
generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go generated Normal file
View File

@ -0,0 +1,9 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
// This package has the automatically generated typed clients.
package v1alpha1

9
generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go generated Normal file
View File

@ -0,0 +1,9 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
// Package fake has the automatically generated clients.
package fake

29
generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated Normal file
View File

@ -0,0 +1,29 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1"
rest "k8s.io/client-go/rest"
testing "k8s.io/client-go/testing"
)
type FakeIDPV1alpha1 struct {
*testing.Fake
}
func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
return &FakeWebhookIdentityProviders{c, namespace}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}

129
generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,129 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
type FakeWebhookIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
func (c *FakeWebhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
func (c *FakeWebhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *FakeWebhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *FakeWebhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeWebhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeWebhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeWebhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOptions)
_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched webhookIdentityProvider.
func (c *FakeWebhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}

10
generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated Normal file
View File

@ -0,0 +1,10 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
type WebhookIdentityProviderExpansion interface{}

78
generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated Normal file
View File

@ -0,0 +1,78 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
"github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme"
rest "k8s.io/client-go/rest"
)
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
WebhookIdentityProvidersGetter
}
// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group.
type IDPV1alpha1Client struct {
restClient rest.Interface
}
func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
return newWebhookIdentityProviders(c, namespace)
}
// NewForConfig creates a new IDPV1alpha1Client for the given config.
func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
client, err := rest.RESTClientFor(&config)
if err != nil {
return nil, err
}
return &IDPV1alpha1Client{client}, nil
}
// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
}
return client
}
// New creates a new IDPV1alpha1Client for the given RESTClient.
func New(c rest.Interface) *IDPV1alpha1Client {
return &IDPV1alpha1Client{c}
}
func setConfigDefaults(config *rest.Config) error {
gv := v1alpha1.SchemeGroupVersion
config.GroupVersion = &gv
config.APIPath = "/apis"
config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
if config.UserAgent == "" {
config.UserAgent = rest.DefaultKubernetesUserAgent()
}
return nil
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
if c == nil {
return nil
}
return c.restClient
}

180
generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,180 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"time"
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
scheme "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
// A group's client should implement this interface.
type WebhookIdentityProvidersGetter interface {
WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
}
// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
type WebhookIdentityProviderInterface interface {
Create(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
Update(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
UpdateStatus(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error)
Delete(name string, options *v1.DeleteOptions) error
DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
Get(name string, options v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
List(opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
Watch(opts v1.ListOptions) (watch.Interface, error)
Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
WebhookIdentityProviderExpansion
}
// webhookIdentityProviders implements WebhookIdentityProviderInterface
type webhookIdentityProviders struct {
client rest.Interface
ns string
}
// newWebhookIdentityProviders returns a WebhookIdentityProviders
func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
return &webhookIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
func (c *webhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do().
Into(result)
return
}
// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
func (c *webhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.WebhookIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("webhookidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do().
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
func (c *webhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("webhookidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch()
}
// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *webhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("webhookidentityproviders").
Body(webhookIdentityProvider).
Do().
Into(result)
return
}
// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *webhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(webhookIdentityProvider.Name).
Body(webhookIdentityProvider).
Do().
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *webhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(webhookIdentityProvider.Name).
SubResource("status").
Body(webhookIdentityProvider).
Do().
Into(result)
return
}
// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
func (c *webhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(name).
Body(options).
Do().
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *webhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
var timeout time.Duration
if listOptions.TimeoutSeconds != nil {
timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("webhookidentityproviders").
VersionedParams(&listOptions, scheme.ParameterCodec).
Timeout(timeout).
Body(options).
Do().
Error()
}
// Patch applies the patch and returns the patched webhookIdentityProvider.
func (c *webhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("webhookidentityproviders").
SubResource(subresources...).
Name(name).
Body(data).
Do().
Into(result)
return
}

6
generated/1.17/client/informers/externalversions/factory.go generated
View File

@ -14,6 +14,7 @@ import (
versioned "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned"
crdpinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/crdpinniped"
idp "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/idp"
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
pinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/pinniped"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -163,6 +164,7 @@ type SharedInformerFactory interface {
WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
Crd() crdpinniped.Interface
IDP() idp.Interface
Pinniped() pinniped.Interface
}
@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface {
return crdpinniped.New(f, f.namespace, f.tweakListOptions)
}
func (f *sharedInformerFactory) IDP() idp.Interface {
return idp.New(f, f.namespace, f.tweakListOptions)
}
func (f *sharedInformerFactory) Pinniped() pinniped.Interface {
return pinniped.New(f, f.namespace, f.tweakListOptions)
}

5
generated/1.17/client/informers/externalversions/generic.go generated
View File

@ -11,6 +11,7 @@ import (
"fmt"
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1"
schema "k8s.io/apimachinery/pkg/runtime/schema"
cache "k8s.io/client-go/tools/cache"
@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
// Group=idp.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
// Group=pinniped.dev, Version=v1alpha1
case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil

35
generated/1.17/client/informers/externalversions/idp/interface.go generated Normal file
View File

@ -0,0 +1,35 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by informer-gen. DO NOT EDIT.
package idp
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/idp/v1alpha1"
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to each of this group's versions.
type Interface interface {
// V1alpha1 provides access to shared informers for resources in V1alpha1.
V1alpha1() v1alpha1.Interface
}
type group struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// V1alpha1 returns a new v1alpha1.Interface.
func (g *group) V1alpha1() v1alpha1.Interface {
return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
}

34
generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go generated Normal file
View File

@ -0,0 +1,34 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to all the informers in this group version.
type Interface interface {
// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
WebhookIdentityProviders() WebhookIdentityProviderInformer
}
type version struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}

78
generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,78 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
time "time"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
versioned "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned"
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces"
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// WebhookIdentityProviderInformer provides access to a shared informer and lister for
// WebhookIdentityProviders.
type WebhookIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.WebhookIdentityProviderLister
}
type webhookIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(options)
},
},
&idpv1alpha1.WebhookIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
}
func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
}

16
generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go generated Normal file
View File

@ -0,0 +1,16 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
// WebhookIdentityProviderListerExpansion allows custom methods to be added to
// WebhookIdentityProviderLister.
type WebhookIdentityProviderListerExpansion interface{}
// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// WebhookIdentityProviderNamespaceLister.
type WebhookIdentityProviderNamespaceListerExpansion interface{}

83
generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,83 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
type WebhookIdentityProviderLister interface {
// List lists all WebhookIdentityProviders in the indexer.
List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
WebhookIdentityProviderListerExpansion
}
// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
type webhookIdentityProviderLister struct {
indexer cache.Indexer
}
// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
return &webhookIdentityProviderLister{indexer: indexer}
}
// List lists all WebhookIdentityProviders in the indexer.
func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
})
return ret, err
}
// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
type WebhookIdentityProviderNamespaceLister interface {
// List lists all WebhookIdentityProviders in the indexer for a given namespace.
List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
WebhookIdentityProviderNamespaceListerExpansion
}
// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
// interface.
type webhookIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all WebhookIdentityProviders in the indexer for a given namespace.
func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
})
return ret, err
}
// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
}
return obj.(*v1alpha1.WebhookIdentityProvider), nil
}

259
generated/1.17/client/openapi/zz_generated.openapi.go generated
View File

@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition": schema_117_apis_idp_v1alpha1_Condition(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec": schema_117_apis_idp_v1alpha1_TLSSpec(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider": schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequest": schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_117_apis_pinniped_v1alpha1_CredentialRequestCredential(ref),
"github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestList": schema_117_apis_pinniped_v1alpha1_CredentialRequestList(ref),
@ -283,11 +289,250 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com
}
}
func schema_117_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"type": {
SchemaProps: spec.SchemaProps{
Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
Type: []string{"string"},
Format: "",
},
},
"status": {
SchemaProps: spec.SchemaProps{
Description: "status of the condition, one of True, False, Unknown.",
Type: []string{"string"},
Format: "",
},
},
"observedGeneration": {
SchemaProps: spec.SchemaProps{
Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
Type: []string{"integer"},
Format: "int64",
},
},
"lastTransitionTime": {
SchemaProps: spec.SchemaProps{
Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
},
},
"reason": {
SchemaProps: spec.SchemaProps{
Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
Type: []string{"string"},
Format: "",
},
},
"message": {
SchemaProps: spec.SchemaProps{
Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
Type: []string{"string"},
Format: "",
},
},
},
Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
},
},
Dependencies: []string{
"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
}
}
func schema_117_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Configuration for configuring TLS on various identity providers.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"certificateAuthorityData": {
SchemaProps: spec.SchemaProps{
Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
Type: []string{"string"},
Format: "",
},
},
},
},
},
}
}
func schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
},
},
"spec": {
SchemaProps: spec.SchemaProps{
Description: "Spec for configuring the identity provider.",
Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec"),
},
},
"status": {
SchemaProps: spec.SchemaProps{
Description: "Status of the identity provider.",
Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus"),
},
},
},
Required: []string{"spec"},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
}
}
func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "List of WebhookIdentityProvider objects.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
},
},
"items": {
SchemaProps: spec.SchemaProps{
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider"),
},
},
},
},
},
},
Required: []string{"items"},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
}
}
func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Spec for configuring a webhook identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"endpoint": {
SchemaProps: spec.SchemaProps{
Description: "Webhook server endpoint URL.",
Type: []string{"string"},
Format: "",
},
},
"tls": {
SchemaProps: spec.SchemaProps{
Description: "TLS configuration.",
Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec"),
},
},
},
Required: []string{"endpoint"},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec"},
}
}
func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Status of a webhook identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"conditions": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-map-keys": []interface{}{
"type",
},
"x-kubernetes-list-type": "map",
"x-kubernetes-patch-merge-key": "type",
"x-kubernetes-patch-strategy": "merge",
},
},
SchemaProps: spec.SchemaProps{
Description: "Represents the observations of an identity provider's current state.",
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition"),
},
},
},
},
},
},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition"},
}
}
func schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
@ -330,7 +575,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"expirationTimestamp": {
SchemaProps: spec.SchemaProps{
@ -418,7 +664,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"type": {
SchemaProps: spec.SchemaProps{
@ -445,7 +692,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"credential": {
SchemaProps: spec.SchemaProps{
@ -472,7 +720,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"value": {
SchemaProps: spec.SchemaProps{

149
generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml generated Normal file
View File

@ -0,0 +1,149 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: webhookidentityproviders.idp.pinniped.dev
spec:
group: idp.pinniped.dev
names:
categories:
- all
- idp
- idps
kind: WebhookIdentityProvider
listKind: WebhookIdentityProviderList
plural: webhookidentityproviders
shortNames:
- webhookidp
- webhookidps
singular: webhookidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: WebhookIdentityProvider describes the configuration of a Pinniped
webhook identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
endpoint:
description: Webhook server endpoint URL.
minLength: 1
pattern: ^https://
type: string
tls:
description: TLS configuration.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
type: object
required:
- endpoint
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Represents the observations of an identity provider's
current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition
type added in Kubernetes 1.19). In a future API version we can
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

115
generated/1.18/README.adoc generated
View File

@ -6,6 +6,7 @@
.Packages
- xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$]
- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
- xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$]
@ -95,6 +96,110 @@ Status of a credential issuer.
[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
=== idp.pinniped.dev/v1alpha1
Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-condition"]
==== Condition
Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various identity providers.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider"]
==== WebhookIdentityProvider
WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec"]
==== WebhookIdentityProviderSpec
Spec for configuring a webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`endpoint`* __string__ | Webhook server endpoint URL.
| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus"]
==== WebhookIdentityProviderStatus
Status of a webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
|===
[id="{anchor_prefix}-pinniped-dev-v1alpha1"]
=== pinniped.dev/v1alpha1
@ -105,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequest"]
==== CredentialRequest
CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
.Appears In:
****
@ -125,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequestcredential"]
==== CredentialRequestCredential
CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
.Appears In:
****
@ -147,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequestspec"]
==== CredentialRequestSpec
CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API
.Appears In:
****
@ -165,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequeststatus"]
==== CredentialRequestStatus
CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.
.Appears In:
****
@ -183,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequesttokencredential"]
==== CredentialRequestTokenCredential
CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.
.Appears In:
****

10
generated/1.18/apis/idp/doc.go generated Normal file
View File

@ -0,0 +1,10 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// +k8s:deepcopy-gen=package
// +groupName=idp.pinniped.dev
// Package idp is the internal version of the Pinniped identity provider API.
package idp

6
generated/1.18/apis/idp/v1alpha1/conversion.go generated Normal file
View File

@ -0,0 +1,6 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1

14
generated/1.18/apis/idp/v1alpha1/defaults.go generated Normal file
View File

@ -0,0 +1,14 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

14
generated/1.18/apis/idp/v1alpha1/doc.go generated Normal file
View File

@ -0,0 +1,14 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen=package
// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.18/apis/idp
// +k8s:defaulter-gen=TypeMeta
// +groupName=idp.pinniped.dev
// +groupGoName=IDP
// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
package v1alpha1

45
generated/1.18/apis/idp/v1alpha1/register.go generated Normal file
View File

@ -0,0 +1,45 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
const GroupName = "idp.pinniped.dev"
// SchemeGroupVersion is group version used to register these objects.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs)
}
// Adds the list of known types to the given scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&WebhookIdentityProvider{},
&WebhookIdentityProviderList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
// Resource takes an unqualified resource and returns a Group qualified GroupResource.
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}

77
generated/1.18/apis/idp/v1alpha1/types_meta.go generated Normal file
View File

@ -0,0 +1,77 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// ConditionStatus is effectively an enum type for Condition.Status.
type ConditionStatus string
// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
// can't decide if a resource is in the condition or not. In the future, we could add other
// intermediate conditions, e.g. ConditionDegraded.
const (
ConditionTrue ConditionStatus = "True"
ConditionFalse ConditionStatus = "False"
ConditionUnknown ConditionStatus = "Unknown"
)
// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API
// version we can switch to using the upstream type.
// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message"`
}

13
generated/1.18/apis/idp/v1alpha1/types_tls.go generated Normal file
View File

@ -0,0 +1,13 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
// Configuration for configuring TLS on various identity providers.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}

55
generated/1.18/apis/idp/v1alpha1/types_webhook.go generated Normal file
View File

@ -0,0 +1,55 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
// Status of a webhook identity provider.
type WebhookIdentityProviderStatus struct {
// Represents the observations of an identity provider's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
// Spec for configuring a webhook identity provider.
type WebhookIdentityProviderSpec struct {
// Webhook server endpoint URL.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://`
Endpoint string `json:"endpoint"`
// TLS configuration.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
}
// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
type WebhookIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec WebhookIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status WebhookIdentityProviderStatus `json:"status,omitempty"`
}
// List of WebhookIdentityProvider objects.
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type WebhookIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []WebhookIdentityProvider `json:"items"`
}

24
generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go generated Normal file
View File

@ -0,0 +1,24 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by conversion-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
func init() {
localSchemeBuilder.Register(RegisterConversions)
}
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
return nil
}

152
generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go generated Normal file
View File

@ -0,0 +1,152 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Condition) DeepCopyInto(out *Condition) {
*out = *in
in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (in *Condition) DeepCopy() *Condition {
if in == nil {
return nil
}
out := new(Condition)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.
func (in *TLSSpec) DeepCopy() *TLSSpec {
if in == nil {
return nil
}
out := new(TLSSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider.
func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider {
if in == nil {
return nil
}
out := new(WebhookIdentityProvider)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]WebhookIdentityProvider, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList.
func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList {
if in == nil {
return nil
}
out := new(WebhookIdentityProviderList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) {
*out = *in
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec.
func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec {
if in == nil {
return nil
}
out := new(WebhookIdentityProviderSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus.
func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus {
if in == nil {
return nil
}
out := new(WebhookIdentityProviderStatus)
in.DeepCopyInto(out)
return out
}

21
generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go generated Normal file
View File

@ -0,0 +1,21 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v1alpha1
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}

10
generated/1.18/apis/idp/zz_generated.deepcopy.go generated Normal file
View File

@ -0,0 +1,10 @@
// +build !ignore_autogenerated
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package idp

27
generated/1.18/apis/pinniped/v1alpha1/types.go generated
View File

@ -13,19 +13,23 @@ const (
TokenCredentialType = CredentialType("token")
)
// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.
type CredentialRequestTokenCredential struct {
// Value of the bearer token supplied with the credential request.
Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"`
Value string `json:"value,omitempty"`
}
// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API
type CredentialRequestSpec struct {
// Type of credential.
Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"`
Type CredentialType `json:"type,omitempty"`
// Token credential (when Type == TokenCredentialType).
Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"`
Token *CredentialRequestTokenCredential `json:"token,omitempty"`
}
// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It
// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
type CredentialRequestCredential struct {
// ExpirationTimestamp indicates a time when the provided credentials expire.
ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"`
@ -40,6 +44,7 @@ type CredentialRequestCredential struct {
ClientKeyData string `json:"clientKeyData,omitempty"`
}
// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.
type CredentialRequestStatus struct {
// A Credential will be returned for a successful credential request.
// +optional
@ -50,25 +55,25 @@ type CredentialRequestStatus struct {
Message *string `json:"message,omitempty"`
}
// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type CredentialRequest struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
Spec CredentialRequestSpec `json:"spec,omitempty"`
Status CredentialRequestStatus `json:"status,omitempty"`
}
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CredentialRequestList is a list of CredentialRequest objects.
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type CredentialRequestList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
Items []CredentialRequest `json:"items"`
}

14
generated/1.18/client/clientset/versioned/clientset.go generated
View File

@ -11,6 +11,7 @@ import (
"fmt"
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1"
discovery "k8s.io/client-go/discovery"
rest "k8s.io/client-go/rest"
@ -20,6 +21,7 @@ import (
type Interface interface {
Discovery() discovery.DiscoveryInterface
CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface
IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface
PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface
}
@ -28,6 +30,7 @@ type Interface interface {
type Clientset struct {
*discovery.DiscoveryClient
crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client
iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client
pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client
}
@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface {
return c.crdV1alpha1
}
// IDPV1alpha1 retrieves the IDPV1alpha1Client
func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
return c.iDPV1alpha1
}
// PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
return c.pinnipedV1alpha1
@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
if err != nil {
return nil, err
}
cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy)
if err != nil {
return nil, err
}
cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy)
if err != nil {
return nil, err
@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
func NewForConfigOrDie(c *rest.Config) *Clientset {
var cs Clientset
cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c)
cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c)
cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c)
cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
func New(c rest.Interface) *Clientset {
var cs Clientset
cs.crdV1alpha1 = crdv1alpha1.New(c)
cs.iDPV1alpha1 = idpv1alpha1.New(c)
cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c)
cs.DiscoveryClient = discovery.NewDiscoveryClient(c)

7
generated/1.18/client/clientset/versioned/fake/clientset_generated.go generated
View File

@ -11,6 +11,8 @@ import (
clientset "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned"
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1"
fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1"
fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1/fake"
"k8s.io/apimachinery/pkg/runtime"
@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface {
return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake}
}
// IDPV1alpha1 retrieves the IDPV1alpha1Client
func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface {
return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake}
}
// PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client
func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface {
return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake}

2
generated/1.18/client/clientset/versioned/fake/register.go generated
View File

@ -9,6 +9,7 @@ package fake
import (
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme)
var parameterCodec = runtime.NewParameterCodec(scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
crdv1alpha1.AddToScheme,
idpv1alpha1.AddToScheme,
pinnipedv1alpha1.AddToScheme,
}

2
generated/1.18/client/clientset/versioned/scheme/register.go generated
View File

@ -9,6 +9,7 @@ package scheme
import (
crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme)
var ParameterCodec = runtime.NewParameterCodec(Scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
crdv1alpha1.AddToScheme,
idpv1alpha1.AddToScheme,
pinnipedv1alpha1.AddToScheme,
}

9
generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go generated Normal file
View File

@ -0,0 +1,9 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
// This package has the automatically generated typed clients.
package v1alpha1

9
generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go generated Normal file
View File

@ -0,0 +1,9 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
// Package fake has the automatically generated clients.
package fake

29
generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go generated Normal file
View File

@ -0,0 +1,29 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1"
rest "k8s.io/client-go/rest"
testing "k8s.io/client-go/testing"
)
type FakeIDPV1alpha1 struct {
*testing.Fake
}
func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface {
return &FakeWebhookIdentityProviders{c, namespace}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeIDPV1alpha1) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}

131
generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,131 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface
type FakeWebhookIdentityProviders struct {
Fake *FakeIDPV1alpha1
ns string
}
var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"}
var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"}
// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta}
for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts))
}
// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}
// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{})
return err
}
// Patch applies the patch and returns the patched webhookIdentityProvider.
func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.WebhookIdentityProvider), err
}

10
generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go generated Normal file
View File

@ -0,0 +1,10 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
type WebhookIdentityProviderExpansion interface{}

78
generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go generated Normal file
View File

@ -0,0 +1,78 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
"github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme"
rest "k8s.io/client-go/rest"
)
type IDPV1alpha1Interface interface {
RESTClient() rest.Interface
WebhookIdentityProvidersGetter
}
// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group.
type IDPV1alpha1Client struct {
restClient rest.Interface
}
func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface {
return newWebhookIdentityProviders(c, namespace)
}
// NewForConfig creates a new IDPV1alpha1Client for the given config.
func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
client, err := rest.RESTClientFor(&config)
if err != nil {
return nil, err
}
return &IDPV1alpha1Client{client}, nil
}
// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
}
return client
}
// New creates a new IDPV1alpha1Client for the given RESTClient.
func New(c rest.Interface) *IDPV1alpha1Client {
return &IDPV1alpha1Client{c}
}
func setConfigDefaults(config *rest.Config) error {
gv := v1alpha1.SchemeGroupVersion
config.GroupVersion = &gv
config.APIPath = "/apis"
config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
if config.UserAgent == "" {
config.UserAgent = rest.DefaultKubernetesUserAgent()
}
return nil
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *IDPV1alpha1Client) RESTClient() rest.Interface {
if c == nil {
return nil
}
return c.restClient
}

184
generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,184 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
scheme "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface.
// A group's client should implement this interface.
type WebhookIdentityProvidersGetter interface {
WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface
}
// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources.
type WebhookIdentityProviderInterface interface {
Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error)
Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error)
WebhookIdentityProviderExpansion
}
// webhookIdentityProviders implements WebhookIdentityProviderInterface
type webhookIdentityProviders struct {
client rest.Interface
ns string
}
// newWebhookIdentityProviders returns a WebhookIdentityProviders
func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders {
return &webhookIdentityProviders{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any.
func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Get().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors.
func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.WebhookIdentityProviderList{}
err = c.client.Get().
Namespace(c.ns).
Resource("webhookidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested webhookIdentityProviders.
func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("webhookidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Post().
Namespace(c.ns).
Resource("webhookidentityproviders").
VersionedParams(&opts, scheme.ParameterCodec).
Body(webhookIdentityProvider).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any.
func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(webhookIdentityProvider.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(webhookIdentityProvider).
Do(ctx).
Into(result)
return
}
// UpdateStatus was generated because the type contains a Status member.
// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Put().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(webhookIdentityProvider.Name).
SubResource("status").
VersionedParams(&opts, scheme.ParameterCodec).
Body(webhookIdentityProvider).
Do(ctx).
Into(result)
return
}
// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs.
func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("webhookidentityproviders").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched webhookIdentityProvider.
func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) {
result = &v1alpha1.WebhookIdentityProvider{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("webhookidentityproviders").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

6
generated/1.18/client/informers/externalversions/factory.go generated
View File

@ -14,6 +14,7 @@ import (
versioned "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned"
crdpinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/crdpinniped"
idp "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/idp"
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
pinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/pinniped"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -163,6 +164,7 @@ type SharedInformerFactory interface {
WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
Crd() crdpinniped.Interface
IDP() idp.Interface
Pinniped() pinniped.Interface
}
@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface {
return crdpinniped.New(f, f.namespace, f.tweakListOptions)
}
func (f *sharedInformerFactory) IDP() idp.Interface {
return idp.New(f, f.namespace, f.tweakListOptions)
}
func (f *sharedInformerFactory) Pinniped() pinniped.Interface {
return pinniped.New(f, f.namespace, f.tweakListOptions)
}

5
generated/1.18/client/informers/externalversions/generic.go generated
View File

@ -11,6 +11,7 @@ import (
"fmt"
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1"
schema "k8s.io/apimachinery/pkg/runtime/schema"
cache "k8s.io/client-go/tools/cache"
@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil
// Group=idp.pinniped.dev, Version=v1alpha1
case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"):
return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil
// Group=pinniped.dev, Version=v1alpha1
case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil

35
generated/1.18/client/informers/externalversions/idp/interface.go generated Normal file
View File

@ -0,0 +1,35 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by informer-gen. DO NOT EDIT.
package idp
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/idp/v1alpha1"
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to each of this group's versions.
type Interface interface {
// V1alpha1 provides access to shared informers for resources in V1alpha1.
V1alpha1() v1alpha1.Interface
}
type group struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// V1alpha1 returns a new v1alpha1.Interface.
func (g *group) V1alpha1() v1alpha1.Interface {
return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions)
}

34
generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go generated Normal file
View File

@ -0,0 +1,34 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to all the informers in this group version.
type Interface interface {
// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
WebhookIdentityProviders() WebhookIdentityProviderInformer
}
type version struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// WebhookIdentityProviders returns a WebhookIdentityProviderInformer.
func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer {
return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}

79
generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,79 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
versioned "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned"
internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces"
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/listers/idp/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// WebhookIdentityProviderInformer provides access to a shared informer and lister for
// WebhookIdentityProviders.
type WebhookIdentityProviderInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.WebhookIdentityProviderLister
}
type webhookIdentityProviderInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options)
},
},
&idpv1alpha1.WebhookIdentityProvider{},
resyncPeriod,
indexers,
)
}
func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer)
}
func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister {
return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer())
}

16
generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go generated Normal file
View File

@ -0,0 +1,16 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
// WebhookIdentityProviderListerExpansion allows custom methods to be added to
// WebhookIdentityProviderLister.
type WebhookIdentityProviderListerExpansion interface{}
// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to
// WebhookIdentityProviderNamespaceLister.
type WebhookIdentityProviderNamespaceListerExpansion interface{}

83
generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go generated Normal file
View File

@ -0,0 +1,83 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// WebhookIdentityProviderLister helps list WebhookIdentityProviders.
type WebhookIdentityProviderLister interface {
// List lists all WebhookIdentityProviders in the indexer.
List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister
WebhookIdentityProviderListerExpansion
}
// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface.
type webhookIdentityProviderLister struct {
indexer cache.Indexer
}
// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister.
func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister {
return &webhookIdentityProviderLister{indexer: indexer}
}
// List lists all WebhookIdentityProviders in the indexer.
func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
})
return ret, err
}
// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders.
func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister {
return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders.
type WebhookIdentityProviderNamespaceLister interface {
// List lists all WebhookIdentityProviders in the indexer for a given namespace.
List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error)
// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
Get(name string) (*v1alpha1.WebhookIdentityProvider, error)
WebhookIdentityProviderNamespaceListerExpansion
}
// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister
// interface.
type webhookIdentityProviderNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all WebhookIdentityProviders in the indexer for a given namespace.
func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider))
})
return ret, err
}
// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name.
func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name)
}
return obj.(*v1alpha1.WebhookIdentityProvider), nil
}

259
generated/1.18/client/openapi/zz_generated.openapi.go generated
View File

@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition": schema_118_apis_idp_v1alpha1_Condition(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec": schema_118_apis_idp_v1alpha1_TLSSpec(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider": schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequest": schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_118_apis_pinniped_v1alpha1_CredentialRequestCredential(ref),
"github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestList": schema_118_apis_pinniped_v1alpha1_CredentialRequestList(ref),
@ -283,11 +289,250 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com
}
}
func schema_118_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"type": {
SchemaProps: spec.SchemaProps{
Description: "type of condition in CamelCase or in foo.example.com/CamelCase.",
Type: []string{"string"},
Format: "",
},
},
"status": {
SchemaProps: spec.SchemaProps{
Description: "status of the condition, one of True, False, Unknown.",
Type: []string{"string"},
Format: "",
},
},
"observedGeneration": {
SchemaProps: spec.SchemaProps{
Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.",
Type: []string{"integer"},
Format: "int64",
},
},
"lastTransitionTime": {
SchemaProps: spec.SchemaProps{
Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.",
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
},
},
"reason": {
SchemaProps: spec.SchemaProps{
Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.",
Type: []string{"string"},
Format: "",
},
},
"message": {
SchemaProps: spec.SchemaProps{
Description: "message is a human readable message indicating details about the transition. This may be an empty string.",
Type: []string{"string"},
Format: "",
},
},
},
Required: []string{"type", "status", "lastTransitionTime", "reason", "message"},
},
},
Dependencies: []string{
"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
}
}
func schema_118_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Configuration for configuring TLS on various identity providers.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"certificateAuthorityData": {
SchemaProps: spec.SchemaProps{
Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.",
Type: []string{"string"},
Format: "",
},
},
},
},
},
}
}
func schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
},
},
"spec": {
SchemaProps: spec.SchemaProps{
Description: "Spec for configuring the identity provider.",
Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec"),
},
},
"status": {
SchemaProps: spec.SchemaProps{
Description: "Status of the identity provider.",
Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus"),
},
},
},
Required: []string{"spec"},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
}
}
func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "List of WebhookIdentityProvider objects.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
},
},
"items": {
SchemaProps: spec.SchemaProps{
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider"),
},
},
},
},
},
},
Required: []string{"items"},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
}
}
func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Spec for configuring a webhook identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"endpoint": {
SchemaProps: spec.SchemaProps{
Description: "Webhook server endpoint URL.",
Type: []string{"string"},
Format: "",
},
},
"tls": {
SchemaProps: spec.SchemaProps{
Description: "TLS configuration.",
Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec"),
},
},
},
Required: []string{"endpoint"},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec"},
}
}
func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "Status of a webhook identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"conditions": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-map-keys": []interface{}{
"type",
},
"x-kubernetes-list-type": "map",
"x-kubernetes-patch-merge-key": "type",
"x-kubernetes-patch-strategy": "merge",
},
},
SchemaProps: spec.SchemaProps{
Description: "Represents the observations of an identity provider's current state.",
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition"),
},
},
},
},
},
},
},
},
Dependencies: []string{
"github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition"},
}
}
func schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
@ -330,7 +575,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"expirationTimestamp": {
SchemaProps: spec.SchemaProps{
@ -418,7 +664,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"type": {
SchemaProps: spec.SchemaProps{
@ -445,7 +692,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"credential": {
SchemaProps: spec.SchemaProps{
@ -472,7 +720,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"object"},
Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"value": {
SchemaProps: spec.SchemaProps{

149
generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml generated Normal file
View File

@ -0,0 +1,149 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: webhookidentityproviders.idp.pinniped.dev
spec:
group: idp.pinniped.dev
names:
categories:
- all
- idp
- idps
kind: WebhookIdentityProvider
listKind: WebhookIdentityProviderList
plural: webhookidentityproviders
shortNames:
- webhookidp
- webhookidps
singular: webhookidentityprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: WebhookIdentityProvider describes the configuration of a Pinniped
webhook identity provider.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec for configuring the identity provider.
properties:
endpoint:
description: Webhook server endpoint URL.
minLength: 1
pattern: ^https://
type: string
tls:
description: TLS configuration.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
type: object
required:
- endpoint
type: object
status:
description: Status of the identity provider.
properties:
conditions:
description: Represents the observations of an identity provider's
current state.
items:
description: Condition status of a resource (mirrored from the metav1.Condition
type added in Kubernetes 1.19). In a future API version we can
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

115
generated/1.19/README.adoc generated
View File

@ -6,6 +6,7 @@
.Packages
- xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$]
- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$]
- xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$]
@ -95,6 +96,110 @@ Status of a credential issuer.
[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"]
=== idp.pinniped.dev/v1alpha1
Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-condition"]
==== Condition
Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown.
| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various identity providers.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider"]
==== WebhookIdentityProvider
WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider.
| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec"]
==== WebhookIdentityProviderSpec
Spec for configuring a webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`endpoint`* __string__ | Webhook server endpoint URL.
| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration.
|===
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus"]
==== WebhookIdentityProviderStatus
Status of a webhook identity provider.
.Appears In:
****
- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state.
|===
[id="{anchor_prefix}-pinniped-dev-v1alpha1"]
=== pinniped.dev/v1alpha1
@ -105,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequest"]
==== CredentialRequest
CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.
.Appears In:
****
@ -125,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequestcredential"]
==== CredentialRequestCredential
CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.
.Appears In:
****
@ -147,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequestspec"]
==== CredentialRequestSpec
CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API
.Appears In:
****
@ -165,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequeststatus"]
==== CredentialRequestStatus
CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.
.Appears In:
****
@ -183,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequesttokencredential"]
==== CredentialRequestTokenCredential
CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.
.Appears In:
****

10
generated/1.19/apis/idp/doc.go generated Normal file
View File

@ -0,0 +1,10 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
// +k8s:deepcopy-gen=package
// +groupName=idp.pinniped.dev
// Package idp is the internal version of the Pinniped identity provider API.
package idp

6
generated/1.19/apis/idp/v1alpha1/conversion.go generated Normal file
View File

@ -0,0 +1,6 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1

14
generated/1.19/apis/idp/v1alpha1/defaults.go generated Normal file
View File

@ -0,0 +1,14 @@
/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

Some files were not shown because too many files have changed in this diff Show More