diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 00000000..cfe81844 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +*.go.tmpl linguist-language=Go +generated/** linguist-generated diff --git a/ADOPTERS.md b/ADOPTERS.md new file mode 100644 index 00000000..56086137 --- /dev/null +++ b/ADOPTERS.md @@ -0,0 +1,9 @@ +# Pinniped Adopters + +These organizations are using Pinniped. + +* [VMware Tanzu](https://tanzu.vmware.com/) ([Tanzu Mission Control](https://tanzu.vmware.com/mission-control)) + +If you are using Pinniped and are not on this list, you can open a [pull +request](https://github.com/suzerain-io/pinniped/issues/new?template=feature-proposal.md) +to add yourself. diff --git a/MAINTAINERS.md b/MAINTAINERS.md new file mode 100644 index 00000000..bc80e218 --- /dev/null +++ b/MAINTAINERS.md @@ -0,0 +1,17 @@ +# Pinniped Maintainers + +This is the current list of maintainers for the Pinniped project. + +| Maintainer | GitHub ID | Affiliation | +| --------------- | --------- | ----------- | +| Andrew Keesler | [ankeesler](https://github.com/ankeesler) | [VMware](https://www.github.com/vmware/) | +| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) | [VMware](https://www.github.com/vmware/) | +| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) | [VMware](https://www.github.com/vmware/) | +| Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) | + +## Pinniped Contributors & Stakeholders + +| Feature Area | Lead | +| ----------------------------- | :---------------------: | +| Technical Lead | Matt Moyer (mattmoyer) | +| Product Management | Pablo Schuhmacher (pabloschuhmacher) | diff --git a/README.md b/README.md index d80cf92a..a6ca6137 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,10 @@ To learn more, see [architecture.md](doc/architecture.md). ![example-deployment-architecture](doc/img/pinniped-architecture.svg) +## Trying Pinniped + +Care to kick the tires? It's easy to [install and try Pinniped](doc/demo.md). + ## Installation Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod diff --git a/apis/idp/doc.go.tmpl b/apis/idp/doc.go.tmpl new file mode 100644 index 00000000..b7689b2b --- /dev/null +++ b/apis/idp/doc.go.tmpl @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/apis/idp/v1alpha1/conversion.go.tmpl b/apis/idp/v1alpha1/conversion.go.tmpl new file mode 100644 index 00000000..63bc360f --- /dev/null +++ b/apis/idp/v1alpha1/conversion.go.tmpl @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/apis/idp/v1alpha1/defaults.go.tmpl b/apis/idp/v1alpha1/defaults.go.tmpl new file mode 100644 index 00000000..ba08404d --- /dev/null +++ b/apis/idp/v1alpha1/defaults.go.tmpl @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/apis/idp/v1alpha1/doc.go.tmpl b/apis/idp/v1alpha1/doc.go.tmpl new file mode 100644 index 00000000..2fc5b55c --- /dev/null +++ b/apis/idp/v1alpha1/doc.go.tmpl @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/GENERATED_PKG/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/apis/idp/v1alpha1/register.go.tmpl b/apis/idp/v1alpha1/register.go.tmpl new file mode 100644 index 00000000..b7878a21 --- /dev/null +++ b/apis/idp/v1alpha1/register.go.tmpl @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/apis/idp/v1alpha1/types_meta.go.tmpl b/apis/idp/v1alpha1/types_meta.go.tmpl new file mode 100644 index 00000000..fe4a5c25 --- /dev/null +++ b/apis/idp/v1alpha1/types_meta.go.tmpl @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/apis/idp/v1alpha1/types_tls.go.tmpl b/apis/idp/v1alpha1/types_tls.go.tmpl new file mode 100644 index 00000000..64f355e6 --- /dev/null +++ b/apis/idp/v1alpha1/types_tls.go.tmpl @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/apis/idp/v1alpha1/types_webhook.go.tmpl b/apis/idp/v1alpha1/types_webhook.go.tmpl new file mode 100644 index 00000000..046a16cb --- /dev/null +++ b/apis/idp/v1alpha1/types_webhook.go.tmpl @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/apis/pinniped/v1alpha1/types.go.tmpl b/apis/pinniped/v1alpha1/types.go.tmpl index 0037021e..420f1402 100644 --- a/apis/pinniped/v1alpha1/types.go.tmpl +++ b/apis/pinniped/v1alpha1/types.go.tmpl @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go new file mode 100644 index 00000000..87f7b0f2 --- /dev/null +++ b/cmd/pinniped/cmd/exchange_credential.go @@ -0,0 +1,126 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "context" + "encoding/json" + "fmt" + "io" + "os" + "time" + + "github.com/spf13/cobra" + clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" + + "github.com/suzerain-io/pinniped/internal/client" + "github.com/suzerain-io/pinniped/internal/constable" + "github.com/suzerain-io/pinniped/internal/here" +) + +//nolint: gochecknoinits +func init() { + rootCmd.AddCommand(newExchangeCredentialCmd(os.Args, os.Stdout, os.Stderr).cmd) +} + +type exchangeCredentialCommand struct { + // runFunc is called by the cobra.Command.Run hook. It is included here for + // testability. + runFunc func(stdout, stderr io.Writer) + + // cmd is the cobra.Command for this CLI command. It is included here for + // testability. + cmd *cobra.Command +} + +func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchangeCredentialCommand { + c := &exchangeCredentialCommand{ + runFunc: runExchangeCredential, + } + + c.cmd = &cobra.Command{ + Run: func(cmd *cobra.Command, _ []string) { + c.runFunc(stdout, stderr) + }, + Args: cobra.NoArgs, // do not accept positional arguments for this command + Use: "exchange-credential", + Short: "Exchange a credential for a cluster-specific access credential", + Long: here.Doc(` + Exchange a credential which proves your identity for a time-limited, + cluster-specific access credential. + + Designed to be conveniently used as an credential plugin for kubectl. + See the help message for 'pinniped get-kubeconfig' for more + information about setting up a kubeconfig file using Pinniped. + + Requires all of the following environment variables, which are + typically set in the kubeconfig: + - PINNIPED_TOKEN: the token to send to Pinniped for exchange + - PINNIPED_CA_BUNDLE: the CA bundle to trust when calling + Pinniped's HTTPS endpoint + - PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential + exchange API + + For more information about credential plugins in general, see + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins + `), + } + + c.cmd.SetArgs(args) + c.cmd.SetOut(stdout) + c.cmd.SetErr(stderr) + + return c +} + +type envGetter func(string) (string, bool) +type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) + +const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set") + +func runExchangeCredential(stdout, _ io.Writer) { + err := exchangeCredential(os.LookupEnv, client.ExchangeToken, stdout, 30*time.Second) + if err != nil { + _, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error()) + os.Exit(1) + } +} + +func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outputWriter io.Writer, timeout time.Duration) error { + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + + token, varExists := envGetter("PINNIPED_TOKEN") + if !varExists { + return envVarNotSetError("PINNIPED_TOKEN") + } + + caBundle, varExists := envGetter("PINNIPED_CA_BUNDLE") + if !varExists { + return envVarNotSetError("PINNIPED_CA_BUNDLE") + } + + apiEndpoint, varExists := envGetter("PINNIPED_K8S_API_ENDPOINT") + if !varExists { + return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT") + } + + cred, err := tokenExchanger(ctx, token, caBundle, apiEndpoint) + if err != nil { + return fmt.Errorf("failed to get credential: %w", err) + } + + err = json.NewEncoder(outputWriter).Encode(cred) + if err != nil { + return fmt.Errorf("failed to marshal response to stdout: %w", err) + } + + return nil +} + +func envVarNotSetError(varName string) error { + return fmt.Errorf("%w: %s", ErrMissingEnvVar, varName) +} diff --git a/cmd/pinniped/main_test.go b/cmd/pinniped/cmd/exchange_credential_test.go similarity index 57% rename from cmd/pinniped/main_test.go rename to cmd/pinniped/cmd/exchange_credential_test.go index 261fa50b..0bf77bdc 100644 --- a/cmd/pinniped/main_test.go +++ b/cmd/pinniped/cmd/exchange_credential_test.go @@ -3,12 +3,13 @@ Copyright 2020 VMware, Inc. SPDX-License-Identifier: Apache-2.0 */ -package main +package cmd import ( "bytes" "context" "fmt" + "io" "testing" "time" @@ -18,11 +19,107 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/internal/testutil" ) -func TestRun(t *testing.T) { - spec.Run(t, "main.run", func(t *testing.T, when spec.G, it spec.S) { +var ( + knownGoodUsageForExchangeCredential = here.Doc(` + Usage: + exchange-credential [flags] + + Flags: + -h, --help help for exchange-credential + + `) + + knownGoodHelpForExchangeCredential = here.Doc(` + Exchange a credential which proves your identity for a time-limited, + cluster-specific access credential. + + Designed to be conveniently used as an credential plugin for kubectl. + See the help message for 'pinniped get-kubeconfig' for more + information about setting up a kubeconfig file using Pinniped. + + Requires all of the following environment variables, which are + typically set in the kubeconfig: + - PINNIPED_TOKEN: the token to send to Pinniped for exchange + - PINNIPED_CA_BUNDLE: the CA bundle to trust when calling + Pinniped's HTTPS endpoint + - PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential + exchange API + + For more information about credential plugins in general, see + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins + + Usage: + exchange-credential [flags] + + Flags: + -h, --help help for exchange-credential + `) +) + +func TestNewCredentialExchangeCmd(t *testing.T) { + spec.Run(t, "newCredentialExchangeCmd", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + var stdout, stderr *bytes.Buffer + + it.Before(func() { + r = require.New(t) + + stdout, stderr = bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{}) + }) + + it("calls runFunc and does not print usage or help when correct arguments and flags are used", func() { + c := newExchangeCredentialCmd([]string{}, stdout, stderr) + + runFuncCalled := false + c.runFunc = func(out, err io.Writer) { + runFuncCalled = true + } + + r.NoError(c.cmd.Execute()) + r.True(runFuncCalled) + r.Empty(stdout.String()) + r.Empty(stderr.String()) + }) + + it("fails when args are passed", func() { + c := newExchangeCredentialCmd([]string{"some-arg"}, stdout, stderr) + + runFuncCalled := false + c.runFunc = func(out, err io.Writer) { + runFuncCalled = true + } + + errorMessage := `unknown command "some-arg" for "exchange-credential"` + r.EqualError(c.cmd.Execute(), errorMessage) + r.False(runFuncCalled) + + output := "Error: " + errorMessage + "\n" + knownGoodUsageForExchangeCredential + r.Equal(output, stdout.String()) + r.Empty(stderr.String()) + }) + + it("prints a nice help message", func() { + c := newExchangeCredentialCmd([]string{"--help"}, stdout, stderr) + + runFuncCalled := false + c.runFunc = func(out, err io.Writer) { + runFuncCalled = true + } + + r.NoError(c.cmd.Execute()) + r.False(runFuncCalled) + r.Equal(knownGoodHelpForExchangeCredential, stdout.String()) + r.Empty(stderr.String()) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} + +func TestExchangeCredential(t *testing.T) { + spec.Run(t, "cmd.exchangeCredential", func(t *testing.T, when spec.G, it spec.S) { var r *require.Assertions var buffer *bytes.Buffer var tokenExchanger tokenExchanger @@ -49,19 +146,19 @@ func TestRun(t *testing.T) { when("env vars are missing", func() { it("returns an error when PINNIPED_TOKEN is missing", func() { delete(fakeEnv, "PINNIPED_TOKEN") - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_TOKEN") }) it("returns an error when PINNIPED_CA_BUNDLE is missing", func() { delete(fakeEnv, "PINNIPED_CA_BUNDLE") - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_CA_BUNDLE") }) it("returns an error when PINNIPED_K8S_API_ENDPOINT is missing", func() { delete(fakeEnv, "PINNIPED_K8S_API_ENDPOINT") - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_K8S_API_ENDPOINT") }) }) @@ -74,7 +171,7 @@ func TestRun(t *testing.T) { }) it("returns an error", func() { - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: some error") }) }) @@ -91,7 +188,7 @@ func TestRun(t *testing.T) { }) it("returns an error", func() { - err := run(envGetter, tokenExchanger, &testutil.ErrorWriter{ReturnError: fmt.Errorf("some IO error")}, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, &testutil.ErrorWriter{ReturnError: fmt.Errorf("some IO error")}, 30*time.Second) r.EqualError(err, "failed to marshal response to stdout: some IO error") }) }) @@ -113,7 +210,7 @@ func TestRun(t *testing.T) { }) it("returns an error", func() { - err := run(envGetter, tokenExchanger, buffer, 1*time.Millisecond) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 1*time.Millisecond) r.EqualError(err, "failed to get credential: context deadline exceeded") }) }) @@ -141,7 +238,7 @@ func TestRun(t *testing.T) { }) it("writes the execCredential to the given writer", func() { - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.NoError(err) r.Equal(fakeEnv["PINNIPED_TOKEN"], actualToken) r.Equal(fakeEnv["PINNIPED_CA_BUNDLE"], actualCaBundle) diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go new file mode 100644 index 00000000..ff9b98ad --- /dev/null +++ b/cmd/pinniped/cmd/get_kubeconfig.go @@ -0,0 +1,347 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "bytes" + "context" + "encoding/base64" + "fmt" + "io" + "os" + "time" + + "github.com/ghodss/yaml" + "github.com/spf13/cobra" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + v1 "k8s.io/client-go/tools/clientcmd/api/v1" + + "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" + "github.com/suzerain-io/pinniped/internal/constable" + "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" + "github.com/suzerain-io/pinniped/internal/here" +) + +const ( + getKubeConfigCmdTokenFlagName = "token" + getKubeConfigCmdKubeconfigFlagName = "kubeconfig" + getKubeConfigCmdKubeconfigContextFlagName = "kubeconfig-context" + getKubeConfigCmdPinnipedNamespaceFlagName = "pinniped-namespace" +) + +//nolint: gochecknoinits +func init() { + rootCmd.AddCommand(newGetKubeConfigCmd(os.Args, os.Stdout, os.Stderr).cmd) +} + +type getKubeConfigCommand struct { + // runFunc is called by the cobra.Command.Run hook. It is included here for + // testability. + runFunc func( + stdout, stderr io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) + + // cmd is the cobra.Command for this CLI command. It is included here for + // testability. + cmd *cobra.Command +} + +func newGetKubeConfigCmd(args []string, stdout, stderr io.Writer) *getKubeConfigCommand { + c := &getKubeConfigCommand{ + runFunc: runGetKubeConfig, + } + + c.cmd = &cobra.Command{ + Run: func(cmd *cobra.Command, _ []string) { + token := cmd.Flag(getKubeConfigCmdTokenFlagName).Value.String() + kubeconfigPathOverride := cmd.Flag(getKubeConfigCmdKubeconfigFlagName).Value.String() + currentContextOverride := cmd.Flag(getKubeConfigCmdKubeconfigContextFlagName).Value.String() + pinnipedInstallationNamespace := cmd.Flag(getKubeConfigCmdPinnipedNamespaceFlagName).Value.String() + c.runFunc( + stdout, + stderr, + token, + kubeconfigPathOverride, + currentContextOverride, + pinnipedInstallationNamespace, + ) + }, + Args: cobra.NoArgs, // do not accept positional arguments for this command + Use: "get-kubeconfig", + Short: "Print a kubeconfig for authenticating into a cluster via Pinniped", + Long: here.Doc(` + Print a kubeconfig for authenticating into a cluster via Pinniped. + + Requires admin-like access to the cluster using the current + kubeconfig context in order to access Pinniped's metadata. + The current kubeconfig is found similar to how kubectl finds it: + using the value of the --kubeconfig option, or if that is not + specified then from the value of the KUBECONFIG environment + variable, or if that is not specified then it defaults to + .kube/config in your home directory. + + Prints a kubeconfig which is suitable to access the cluster using + Pinniped as the authentication mechanism. This kubeconfig output + can be saved to a file and used with future kubectl commands, e.g.: + pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig + kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods + `), + } + + c.cmd.SetArgs(args) + c.cmd.SetOut(stdout) + c.cmd.SetErr(stderr) + + c.cmd.Flags().StringP( + getKubeConfigCmdTokenFlagName, + "", + "", + "Credential to include in the resulting kubeconfig output (Required)", + ) + err := c.cmd.MarkFlagRequired(getKubeConfigCmdTokenFlagName) + if err != nil { + panic(err) + } + + c.cmd.Flags().StringP( + getKubeConfigCmdKubeconfigFlagName, + "", + "", + "Path to the kubeconfig file", + ) + + c.cmd.Flags().StringP( + getKubeConfigCmdKubeconfigContextFlagName, + "", + "", + "Kubeconfig context override", + ) + + c.cmd.Flags().StringP( + getKubeConfigCmdPinnipedNamespaceFlagName, + "", + "pinniped", + "Namespace in which Pinniped was installed", + ) + + return c +} + +func runGetKubeConfig( + stdout, stderr io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, +) { + err := getKubeConfig( + stdout, + stderr, + token, + kubeconfigPathOverride, + currentContextOverride, + pinnipedInstallationNamespace, + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + return pinnipedclientset.NewForConfig(restConfig) + }, + ) + + if err != nil { + _, _ = fmt.Fprintf(os.Stderr, "error: %s\n", err.Error()) + os.Exit(1) + } +} + +func getKubeConfig( + outputWriter io.Writer, + warningsWriter io.Writer, + token string, + kubeconfigPathOverride string, + currentContextNameOverride string, + pinnipedInstallationNamespace string, + kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error), +) error { + if token == "" { + return constable.Error("--" + getKubeConfigCmdTokenFlagName + " flag value cannot be empty") + } + + fullPathToSelf, err := os.Executable() + if err != nil { + return fmt.Errorf("could not find path to self: %w", err) + } + + clientConfig := newClientConfig(kubeconfigPathOverride, currentContextNameOverride) + + currentKubeConfig, err := clientConfig.RawConfig() + if err != nil { + return err + } + + credentialIssuerConfig, err := fetchPinnipedCredentialIssuerConfig(clientConfig, kubeClientCreator, pinnipedInstallationNamespace) + if err != nil { + return err + } + + if credentialIssuerConfig.Status.KubeConfigInfo == nil { + return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`) + } + + v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(currentKubeConfig, currentContextNameOverride) + if err != nil { + return err + } + + err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, warningsWriter) + if err != nil { + return err + } + + config := newPinnipedKubeconfig(v1Cluster, fullPathToSelf, token) + + err = writeConfigAsYAML(outputWriter, config) + if err != nil { + return err + } + + return nil +} + +func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, warningsWriter io.Writer) error { + credentialIssuerConfigCA, err := base64.StdEncoding.DecodeString(credentialIssuerConfig.Status.KubeConfigInfo.CertificateAuthorityData) + if err != nil { + return err + } + if v1Cluster.Server != credentialIssuerConfig.Status.KubeConfigInfo.Server || + !bytes.Equal(v1Cluster.CertificateAuthorityData, credentialIssuerConfigCA) { + _, err := warningsWriter.Write([]byte("WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n")) + if err != nil { + return fmt.Errorf("output write error: %w", err) + } + } + return nil +} + +func fetchPinnipedCredentialIssuerConfig(clientConfig clientcmd.ClientConfig, kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error), pinnipedInstallationNamespace string) (*v1alpha1.CredentialIssuerConfig, error) { + restConfig, err := clientConfig.ClientConfig() + if err != nil { + return nil, err + } + clientset, err := kubeClientCreator(restConfig) + if err != nil { + return nil, err + } + + ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20) + defer cancelFunc() + + credentialIssuerConfig, err := clientset.CrdV1alpha1().CredentialIssuerConfigs(pinnipedInstallationNamespace).Get(ctx, issuerconfig.ConfigName, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + return nil, constable.Error(fmt.Sprintf( + `CredentialIssuerConfig "%s" was not found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`, + issuerconfig.ConfigName, + pinnipedInstallationNamespace, + pinnipedInstallationNamespace, + )) + } + return nil, err + } + + return credentialIssuerConfig, nil +} + +func newClientConfig(kubeconfigPathOverride string, currentContextName string) clientcmd.ClientConfig { + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + loadingRules.ExplicitPath = kubeconfigPathOverride + clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{ + CurrentContext: currentContextName, + }) + return clientConfig +} + +func writeConfigAsYAML(outputWriter io.Writer, config v1.Config) error { + output, err := yaml.Marshal(&config) + if err != nil { + return fmt.Errorf("YAML serialization error: %w", err) + } + + _, err = outputWriter.Write(output) + if err != nil { + return fmt.Errorf("output write error: %w", err) + } + + return nil +} + +func copyCurrentClusterFromExistingKubeConfig(currentKubeConfig clientcmdapi.Config, currentContextNameOverride string) (v1.Cluster, error) { + v1Cluster := v1.Cluster{} + + contextName := currentKubeConfig.CurrentContext + if currentContextNameOverride != "" { + contextName = currentContextNameOverride + } + + err := v1.Convert_api_Cluster_To_v1_Cluster( + currentKubeConfig.Clusters[currentKubeConfig.Contexts[contextName].Cluster], + &v1Cluster, + nil, + ) + if err != nil { + return v1.Cluster{}, err + } + + return v1Cluster, nil +} + +func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token string) v1.Config { + clusterName := "pinniped-cluster" + userName := "pinniped-user" + + return v1.Config{ + Kind: "Config", + APIVersion: v1.SchemeGroupVersion.Version, + Preferences: v1.Preferences{}, + Clusters: []v1.NamedCluster{ + { + Name: clusterName, + Cluster: v1Cluster, + }, + }, + Contexts: []v1.NamedContext{ + { + Name: clusterName, + Context: v1.Context{ + Cluster: clusterName, + AuthInfo: userName, + }, + }, + }, + AuthInfos: []v1.NamedAuthInfo{ + { + Name: userName, + AuthInfo: v1.AuthInfo{ + Exec: &v1.ExecConfig{ + Command: fullPathToSelf, + Args: []string{"exchange-credential"}, + Env: []v1.ExecEnvVar{ + {Name: "PINNIPED_K8S_API_ENDPOINT", Value: v1Cluster.Server}, + {Name: "PINNIPED_CA_BUNDLE", Value: string(v1Cluster.CertificateAuthorityData)}, + {Name: "PINNIPED_TOKEN", Value: token}, + }, + APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(), + InstallHint: "The Pinniped CLI is required to authenticate to the current cluster.\n" + + "For more information, please visit https://pinniped.dev", + }, + }, + }, + }, + CurrentContext: clusterName, + } +} diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go new file mode 100644 index 00000000..06738998 --- /dev/null +++ b/cmd/pinniped/cmd/get_kubeconfig_test.go @@ -0,0 +1,642 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "bytes" + "encoding/base64" + "fmt" + "io" + "os" + "testing" + + "github.com/sclevine/spec" + "github.com/sclevine/spec/report" + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/rest" + + crdpinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" + pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" + "github.com/suzerain-io/pinniped/internal/here" +) + +var ( + knownGoodUsageForGetKubeConfig = here.Doc(` + Usage: + get-kubeconfig [flags] + + Flags: + -h, --help help for get-kubeconfig + --kubeconfig string Path to the kubeconfig file + --kubeconfig-context string Kubeconfig context override + --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") + --token string Credential to include in the resulting kubeconfig output (Required) + + `) + + knownGoodHelpForGetKubeConfig = here.Doc(` + Print a kubeconfig for authenticating into a cluster via Pinniped. + + Requires admin-like access to the cluster using the current + kubeconfig context in order to access Pinniped's metadata. + The current kubeconfig is found similar to how kubectl finds it: + using the value of the --kubeconfig option, or if that is not + specified then from the value of the KUBECONFIG environment + variable, or if that is not specified then it defaults to + .kube/config in your home directory. + + Prints a kubeconfig which is suitable to access the cluster using + Pinniped as the authentication mechanism. This kubeconfig output + can be saved to a file and used with future kubectl commands, e.g.: + pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig + kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods + + Usage: + get-kubeconfig [flags] + + Flags: + -h, --help help for get-kubeconfig + --kubeconfig string Path to the kubeconfig file + --kubeconfig-context string Kubeconfig context override + --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") + --token string Credential to include in the resulting kubeconfig output (Required) + `) +) + +func TestNewGetKubeConfigCmd(t *testing.T) { + spec.Run(t, "newGetKubeConfigCmd", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + var stdout, stderr *bytes.Buffer + + it.Before(func() { + r = require.New(t) + + stdout, stderr = bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{}) + }) + + it("passes all flags to runFunc", func() { + args := []string{ + "--token", "some-token", + "--kubeconfig", "some-kubeconfig", + "--kubeconfig-context", "some-kubeconfig-context", + "--pinniped-namespace", "some-pinniped-namespace", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + r.Equal("some-token", token) + r.Equal("some-kubeconfig", kubeconfigPathOverride) + r.Equal("some-kubeconfig-context", currentContextOverride) + r.Equal("some-pinniped-namespace", pinnipedInstallationNamespace) + } + + r.NoError(c.cmd.Execute()) + r.True(runFuncCalled) + r.Empty(stdout.String()) + r.Empty(stderr.String()) + }) + + it("requires the 'token' flag", func() { + args := []string{ + "--kubeconfig", "some-kubeconfig", + "--kubeconfig-context", "some-kubeconfig-context", + "--pinniped-namespace", "some-pinniped-namespace", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + } + + errorMessage := `required flag(s) "token" not set` + r.EqualError(c.cmd.Execute(), errorMessage) + r.False(runFuncCalled) + + output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig + r.Equal(output, stdout.String()) + r.Empty(stderr.String()) + }) + + it("defaults the flags correctly", func() { + args := []string{ + "--token", "some-token", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + r.Equal("some-token", token) + r.Equal("", kubeconfigPathOverride) + r.Equal("", currentContextOverride) + r.Equal("pinniped", pinnipedInstallationNamespace) + } + + r.NoError(c.cmd.Execute()) + r.True(runFuncCalled) + r.Empty(stdout.String()) + r.Empty(stderr.String()) + }) + + it("fails when args are passed", func() { + args := []string{ + "--token", "some-token", + "some-arg", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + } + + errorMessage := `unknown command "some-arg" for "get-kubeconfig"` + r.EqualError(c.cmd.Execute(), errorMessage) + r.False(runFuncCalled) + + output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig + r.Equal(output, stdout.String()) + r.Empty(stderr.String()) + }) + + it("prints a nice help message", func() { + args := []string{ + "--help", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + } + + r.NoError(c.cmd.Execute()) + r.False(runFuncCalled) + r.Equal(knownGoodHelpForGetKubeConfig, stdout.String()) + r.Empty(stderr.String()) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} + +//nolint: unparam +func expectedKubeconfigYAML(clusterCAData, clusterServer, command, token, pinnipedEndpoint, pinnipedCABundle string) string { + return here.Docf(` + apiVersion: v1 + clusters: + - cluster: + certificate-authority-data: %s + server: %s + name: pinniped-cluster + contexts: + - context: + cluster: pinniped-cluster + user: pinniped-user + name: pinniped-cluster + current-context: pinniped-cluster + kind: Config + preferences: {} + users: + - name: pinniped-user + user: + exec: + apiVersion: client.authentication.k8s.io/v1beta1 + args: + - exchange-credential + command: %s + env: + - name: PINNIPED_K8S_API_ENDPOINT + value: %s + - name: PINNIPED_CA_BUNDLE + value: %s + - name: PINNIPED_TOKEN + value: %s + installHint: |- + The Pinniped CLI is required to authenticate to the current cluster. + For more information, please visit https://pinniped.dev + `, clusterCAData, clusterServer, command, pinnipedEndpoint, pinnipedCABundle, token) +} + +func newCredentialIssuerConfig(server, certificateAuthorityData string) *crdpinnipedv1alpha1.CredentialIssuerConfig { + return &crdpinnipedv1alpha1.CredentialIssuerConfig{ + TypeMeta: metav1.TypeMeta{ + Kind: "CredentialIssuerConfig", + APIVersion: crdpinnipedv1alpha1.SchemeGroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-config", + Namespace: "some-namespace", + }, + Status: crdpinnipedv1alpha1.CredentialIssuerConfigStatus{ + KubeConfigInfo: &crdpinnipedv1alpha1.CredentialIssuerConfigKubeConfigInfo{ + Server: server, + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(certificateAuthorityData)), + }, + }, + } +} + +func TestGetKubeConfig(t *testing.T) { + spec.Run(t, "cmd.getKubeConfig", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + var outputBuffer *bytes.Buffer + var warningsBuffer *bytes.Buffer + var fullPathToSelf string + var pinnipedClient *pinnipedfake.Clientset + + it.Before(func() { + r = require.New(t) + + outputBuffer = new(bytes.Buffer) + warningsBuffer = new(bytes.Buffer) + + var err error + fullPathToSelf, err = os.Executable() + r.NoError(err) + + pinnipedClient = pinnipedfake.NewSimpleClientset() + }) + + when("the CredentialIssuerConfig is found on the cluster with a configuration that matches the existing kubeconfig", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + newCredentialIssuerConfig("https://fake-server-url-value", "fake-certificate-authority-data-value"), + )) + }) + + it("writes the kubeconfig to the given writer", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Empty(warningsBuffer.String()) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + + when("the currentContextOverride is used to specify a context other than the default context", func() { + it.Before(func() { + // update the Server and CertificateAuthorityData to make them match the other kubeconfig context + r.NoError(pinnipedClient.Tracker().Update( + schema.GroupVersionResource{ + Group: crdpinnipedv1alpha1.GroupName, + Version: crdpinnipedv1alpha1.SchemeGroupVersion.Version, + Resource: "credentialissuerconfigs", + }, + newCredentialIssuerConfig( + "https://some-other-fake-server-url-value", + "some-other-fake-certificate-authority-data-value", + ), + "some-namespace", + )) + }) + + when("that context exists", func() { + it("writes the kubeconfig to the given writer using the specified context", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "some-other-context", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://some-other-fake-server-url-value", restConfig.Host) + r.Equal("some-other-fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Empty(warningsBuffer.String()) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("some-other-fake-certificate-authority-data-value")), + "https://some-other-fake-server-url-value", + fullPathToSelf, + "some-token", + "https://some-other-fake-server-url-value", + "some-other-fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + + when("that context does not exist the in the current kubeconfig", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "this-context-name-does-not-exist-in-kubeconfig.yaml", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil }, + ) + r.EqualError(err, `context "this-context-name-does-not-exist-in-kubeconfig.yaml" does not exist`) + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + }) + + when("the token passed in is empty", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil }, + ) + r.EqualError(err, "--token flag value cannot be empty") + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + + when("the kubeconfig path passed refers to a file that does not exist", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/this-file-does-not-exist.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil }, + ) + r.EqualError(err, "stat ./testdata/this-file-does-not-exist.yaml: no such file or directory") + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + + when("the kubeconfig path parameter is empty", func() { + it.Before(func() { + // Note that this is technically polluting other parallel tests in this file, but other tests + // are always specifying the kubeconfigPathOverride parameter, so they're not actually looking + // at the value of this environment variable. + r.NoError(os.Setenv("KUBECONFIG", "./testdata/kubeconfig.yaml")) + }) + + it.After(func() { + r.NoError(os.Unsetenv("KUBECONFIG")) + }) + + it("falls back to using the KUBECONFIG env var to find the kubeconfig file", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Empty(warningsBuffer.String()) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + + when("the wrong pinniped namespace is passed in", func() { + it("returns an error", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "this-is-the-wrong-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was not found in namespace "this-is-the-wrong-namespace". Is Pinniped installed on this cluster in namespace "this-is-the-wrong-namespace"?`) + r.True(kubeClientCreatorFuncWasCalled) + }) + }) + }) + + when("the CredentialIssuerConfig is found on the cluster with a configuration that does not match the existing kubeconfig", func() { + when("the Server doesn't match", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + newCredentialIssuerConfig("non-matching-pinniped-server-url", "fake-certificate-authority-data-value"), + )) + }) + + it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Equal( + "WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n", + warningsBuffer.String(), + ) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + + when("the CA doesn't match", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + newCredentialIssuerConfig("https://fake-server-url-value", "non-matching-certificate-authority-data-value"), + )) + }) + + it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Equal( + "WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n", + warningsBuffer.String(), + ) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + }) + + when("the CredentialIssuerConfig is found on the cluster with an empty KubeConfigInfo", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + &crdpinnipedv1alpha1.CredentialIssuerConfig{ + TypeMeta: metav1.TypeMeta{ + Kind: "CredentialIssuerConfig", + APIVersion: crdpinnipedv1alpha1.SchemeGroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-config", + Namespace: "some-namespace", + }, + Status: crdpinnipedv1alpha1.CredentialIssuerConfigStatus{}, + }, + )) + }) + + it("returns an error", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.True(kubeClientCreatorFuncWasCalled) + r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`) + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + + when("the CredentialIssuerConfig does not exist on the cluster", func() { + it("returns an error", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.True(kubeClientCreatorFuncWasCalled) + r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was not found in namespace "some-namespace". Is Pinniped installed on this cluster in namespace "some-namespace"?`) + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + + when("there is an error while getting the CredentialIssuerConfig from the cluster", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + return nil, fmt.Errorf("some error getting CredentialIssuerConfig") + }, + ) + r.EqualError(err, "some error getting CredentialIssuerConfig") + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} diff --git a/cmd/pinniped/cmd/root.go b/cmd/pinniped/cmd/root.go new file mode 100644 index 00000000..3ad05292 --- /dev/null +++ b/cmd/pinniped/cmd/root.go @@ -0,0 +1,30 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "fmt" + "os" + + "github.com/spf13/cobra" +) + +//nolint: gochecknoglobals +var rootCmd = &cobra.Command{ + Use: "pinniped", + Short: "pinniped", + Long: "pinniped is the client-side binary for use with Pinniped-enabled Kubernetes clusters.", + SilenceUsage: true, // do not print usage message when commands fail +} + +// Execute adds all child commands to the root command and sets flags appropriately. +// This is called by main.main(). It only needs to happen once to the rootCmd. +func Execute() { + if err := rootCmd.Execute(); err != nil { + fmt.Println(err) + os.Exit(1) + } +} diff --git a/cmd/pinniped/cmd/testdata/kubeconfig.yaml b/cmd/pinniped/cmd/testdata/kubeconfig.yaml new file mode 100644 index 00000000..c89a226e --- /dev/null +++ b/cmd/pinniped/cmd/testdata/kubeconfig.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +clusters: + - cluster: + certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== # fake-certificate-authority-data-value + server: https://fake-server-url-value + name: kind-kind + - cluster: + certificate-authority-data: c29tZS1vdGhlci1mYWtlLWNlcnRpZmljYXRlLWF1dGhvcml0eS1kYXRhLXZhbHVl # some-other-fake-certificate-authority-data-value + server: https://some-other-fake-server-url-value + name: some-other-cluster +contexts: + - context: + cluster: kind-kind + user: kind-kind + name: kind-kind + - context: + cluster: some-other-cluster + user: some-other-user + name: some-other-context +current-context: kind-kind +kind: Config +preferences: {} +users: + - name: kind-kind + user: + client-certificate-data: ZmFrZS1jbGllbnQtY2VydGlmaWNhdGUtZGF0YS12YWx1ZQ== # fake-client-certificate-data-value + client-key-data: ZmFrZS1jbGllbnQta2V5LWRhdGEtdmFsdWU= # fake-client-key-data-value + - name: some-other-user + user: + client-certificate-data: c29tZS1vdGhlci1mYWtlLWNsaWVudC1jZXJ0aWZpY2F0ZS1kYXRhLXZhbHVl # some-other-fake-client-certificate-data-value + client-key-data: c29tZS1vdGhlci1mYWtlLWNsaWVudC1rZXktZGF0YS12YWx1ZQ== # some-other-fake-client-key-data-value diff --git a/cmd/pinniped/main.go b/cmd/pinniped/main.go index b232d400..314019af 100644 --- a/cmd/pinniped/main.go +++ b/cmd/pinniped/main.go @@ -5,65 +5,8 @@ SPDX-License-Identifier: Apache-2.0 package main -import ( - "context" - "encoding/json" - "fmt" - "io" - "os" - "time" - - clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" - - "github.com/suzerain-io/pinniped/internal/client" - "github.com/suzerain-io/pinniped/internal/constable" -) +import "github.com/suzerain-io/pinniped/cmd/pinniped/cmd" func main() { - err := run(os.LookupEnv, client.ExchangeToken, os.Stdout, 30*time.Second) - if err != nil { - _, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error()) - os.Exit(1) - } -} - -type envGetter func(string) (string, bool) -type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) - -const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set") - -func run(envGetter envGetter, tokenExchanger tokenExchanger, outputWriter io.Writer, timeout time.Duration) error { - ctx, cancel := context.WithTimeout(context.Background(), timeout) - defer cancel() - - token, varExists := envGetter("PINNIPED_TOKEN") - if !varExists { - return envVarNotSetError("PINNIPED_TOKEN") - } - - caBundle, varExists := envGetter("PINNIPED_CA_BUNDLE") - if !varExists { - return envVarNotSetError("PINNIPED_CA_BUNDLE") - } - - apiEndpoint, varExists := envGetter("PINNIPED_K8S_API_ENDPOINT") - if !varExists { - return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT") - } - - cred, err := tokenExchanger(ctx, token, caBundle, apiEndpoint) - if err != nil { - return fmt.Errorf("failed to get credential: %w", err) - } - - err = json.NewEncoder(outputWriter).Encode(cred) - if err != nil { - return fmt.Errorf("failed to marshal response to stdout: %w", err) - } - - return nil -} - -func envVarNotSetError(varName string) error { - return fmt.Errorf("%w: %s", ErrMissingEnvVar, varName) + cmd.Execute() } diff --git a/deploy-local-user-authenticator/README.md b/deploy-local-user-authenticator/README.md index a4f4b88f..c305e113 100644 --- a/deploy-local-user-authenticator/README.md +++ b/deploy-local-user-authenticator/README.md @@ -14,8 +14,9 @@ User accounts can be created and edited dynamically using `kubectl` commands (se ## Tools -This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files. -Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). +This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files +and to deploy the app. +Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). As well, this demo requires a tool capable of generating a `bcrypt` hash in order to interact with the webhook. The example below uses `htpasswd`, which is installed on most macOS systems, and can be diff --git a/deploy/README.md b/deploy/README.md index 96b0c344..005647ef 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -9,8 +9,9 @@ for details. ## Tools -This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files. -Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). +This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files +and to deploy the app. +Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). ## Procedure diff --git a/deploy/crd.yaml b/deploy/crd.pinniped.dev_credentialissuerconfigs.yaml similarity index 100% rename from deploy/crd.yaml rename to deploy/crd.pinniped.dev_credentialissuerconfigs.yaml diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 28acfcde..03d56e0e 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -29,9 +29,6 @@ data: pinniped.yaml: | discovery: url: (@= data.values.discovery_url or "null" @) - webhook: - url: (@= data.values.webhook_url @) - caBundle: (@= data.values.webhook_ca_bundle @) api: servingCertificate: durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @) diff --git a/deploy/idp.pinniped.dev_webhookidentityproviders.yaml b/deploy/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 00000000..213b7ad2 --- /dev/null +++ b/deploy/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index c0d5dddc..818453d8 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -47,8 +47,8 @@ rules: - apiGroups: [""] resources: [secrets] verbs: [create, get, list, patch, update, watch, delete] - - apiGroups: [crd.pinniped.dev] - resources: [credentialissuerconfigs] + - apiGroups: [crd.pinniped.dev, idp.pinniped.dev] + resources: ["*"] verbs: [create, get, list, update, watch] --- kind: RoleBinding diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml new file mode 100644 index 00000000..27a57def --- /dev/null +++ b/deploy/webhook.yaml @@ -0,0 +1,16 @@ +#! Copyright 2020 VMware, Inc. +#! SPDX-License-Identifier: Apache-2.0 + +#@ load("@ytt:data", "data") + +apiVersion: idp.pinniped.dev/v1alpha1 +kind: WebhookIdentityProvider +metadata: + name: #@ data.values.app_name + "-webhook" + namespace: #@ data.values.namespace + labels: + app: #@ data.values.app_name +spec: + endpoint: #@ data.values.webhook_url + tls: + certificateAuthorityData: #@ data.values.webhook_ca_bundle diff --git a/doc/demo.md b/doc/demo.md new file mode 100644 index 00000000..8ffb93f8 --- /dev/null +++ b/doc/demo.md @@ -0,0 +1,115 @@ +# Trying Pinniped + +## Prerequisites + +1. A Kubernetes cluster of a type supported by Pinniped. + Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod + is accessible from Pinniped's pods. + Support for other types of Kubernetes distributions is coming soon. + + Don't have a cluster handy? Consider using [kind](https://kind.sigs.k8s.io/) on your local machine. + See below for an example of using kind. + +1. A kubeconfig where the current context points to that cluster and has admin-like + privileges on that cluster. + + Don't have an identity provider of a type supported by Pinniped handy? + Start by installing `local-user-authenticator` on the same cluster where you would like to try Pinniped + by following the directions in [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md). + See below for an example of deploying this on kind. + +## Steps + +### General Steps + +1. Install Pinniped by following the directions in [deploy/README.md](../deploy/README.md). +1. Download the Pinniped CLI from [Pinniped's github Releases page](https://github.com/suzerain-io/pinniped/releases/latest). +1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get-kubeconfig --help` for more information. +1. Run `kubectl` commands using the generated kubeconfig to authenticate using Pinniped during those commands. + +### Specific Example of Deploying on kind Using `local-user-authenticator` as the Identity Provider + +1. Install the tools required for the following steps. + + - This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files + and to deploy the app. + Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). + E.g. `brew install k14s/tap/ytt k14s/tap/kapp` on a Mac. + + - [Install kind](https://kind.sigs.k8s.io/docs/user/quick-start/), if not already installed. e.g. `brew install kind` on a Mac. + + - kind depends on Docker. If not already installed, [install Docker](https://docs.docker.com/get-docker/), e.g. `brew cask install docker` on a Mac. + + - This demo requires `kubectl`, which comes with Docker, or can be [installed separately](https://kubernetes.io/docs/tasks/tools/install-kubectl/). + + - This demo requires a tool capable of generating a `bcrypt` hash in order to interact with + the webhook. The example below uses `htpasswd`, which is installed on most macOS systems, and can be + installed on some Linux systems via the `apache2-utils` package (e.g., `apt-get install + apache2-utils`). + +1. Create a new Kubernetes cluster using `kind create cluster`. Optionally provide a cluster name using the `--name` flag. + kind will automatically update your kubeconfig to point to the new cluster. + +1. Clone this repo. + + ```bash + git clone https://github.com/suzerain-io/pinniped.git /tmp/pinniped --depth 1 + ``` + +1. Deploy the `local-user-authenticator` app: + + ```bash + cd /tmp/pinniped/deploy-local-user-authenticator + ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file - + ``` + +1. Create a test user. + + ```bash + kubectl create secret generic pinny-the-seal \ + --namespace local-user-authenticator \ + --from-literal=groups=group1,group2 \ + --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://") + ``` + +1. Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint. + + ```bash + kubectl get secret api-serving-cert --namespace local-user-authenticator \ + -o jsonpath={.data.caCertificate} \ + | base64 -d \ + | tee /tmp/local-user-authenticator-ca + ``` +1. Deploy Pinniped. + + ```bash + cd /tmp/pinniped/deploy + ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file - \ + --data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \ + --data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca)" + ``` + +1. Download the latest version of the Pinniped CLI binary for your platform + from [Pinniped's github Releases page](https://github.com/suzerain-io/pinniped/releases/latest). + +1. Move the Pinniped CLI binary to your preferred directory and add the executable bit, + e.g. `chmod +x /usr/local/bin/pinniped`. + +1. Generate a kubeconfig. + + ```bash + pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig + ``` + +1. Create RBAC rules for the test user to give them permissions to perform actions on the cluster. + For example, grant the test user permission to view all cluster resources. + + ```bash + kubectl create clusterrolebinding pinny-can-read --clusterrole view --user pinny-the-seal + ``` + +1. Use the generated kubeconfig to issue arbitrary `kubectl` commands as the `pinny-the-seal` user. + + ```bash + kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped + ``` diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 44028a1d..8015915a 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -6,6 +6,7 @@ .Packages - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$] @@ -95,6 +96,110 @@ Status of a credential issuer. +[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"] +=== idp.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for configuring TLS on various identity providers. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider"] +==== WebhookIdentityProvider + +WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec"] +==== WebhookIdentityProviderSpec + +Spec for configuring a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`endpoint`* __string__ | Webhook server endpoint URL. +| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus"] +==== WebhookIdentityProviderStatus + +Status of a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-pinniped-dev-v1alpha1"] === pinniped.dev/v1alpha1 @@ -105,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequest"] ==== CredentialRequest - +CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. .Appears In: **** @@ -125,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequestcredential"] ==== CredentialRequestCredential - +CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. .Appears In: **** @@ -147,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequestspec"] ==== CredentialRequestSpec - +CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API .Appears In: **** @@ -165,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequeststatus"] ==== CredentialRequestStatus - +CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. .Appears In: **** @@ -183,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequesttokencredential"] ==== CredentialRequestTokenCredential - +CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. .Appears In: **** diff --git a/generated/1.17/apis/idp/doc.go b/generated/1.17/apis/idp/doc.go new file mode 100644 index 00000000..b7689b2b --- /dev/null +++ b/generated/1.17/apis/idp/doc.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/generated/1.17/apis/idp/v1alpha1/conversion.go b/generated/1.17/apis/idp/v1alpha1/conversion.go new file mode 100644 index 00000000..63bc360f --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/conversion.go @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/generated/1.17/apis/idp/v1alpha1/defaults.go b/generated/1.17/apis/idp/v1alpha1/defaults.go new file mode 100644 index 00000000..ba08404d --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/defaults.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.17/apis/idp/v1alpha1/doc.go b/generated/1.17/apis/idp/v1alpha1/doc.go new file mode 100644 index 00000000..5c4eeaad --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/doc.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.17/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/generated/1.17/apis/idp/v1alpha1/register.go b/generated/1.17/apis/idp/v1alpha1/register.go new file mode 100644 index 00000000..b7878a21 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.17/apis/idp/v1alpha1/types_meta.go b/generated/1.17/apis/idp/v1alpha1/types_meta.go new file mode 100644 index 00000000..fe4a5c25 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/types_meta.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.17/apis/idp/v1alpha1/types_tls.go b/generated/1.17/apis/idp/v1alpha1/types_tls.go new file mode 100644 index 00000000..64f355e6 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/types_tls.go @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.17/apis/idp/v1alpha1/types_webhook.go b/generated/1.17/apis/idp/v1alpha1/types_webhook.go new file mode 100644 index 00000000..046a16cb --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/types_webhook.go @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..f39942f8 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,24 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + return nil +} diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..29ed1e8e --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,152 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider. +func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider { + if in == nil { + return nil + } + out := new(WebhookIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]WebhookIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList. +func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec. +func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus. +func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..1612aa4d --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,21 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.17/apis/idp/zz_generated.deepcopy.go b/generated/1.17/apis/idp/zz_generated.deepcopy.go new file mode 100644 index 00000000..0869390d --- /dev/null +++ b/generated/1.17/apis/idp/zz_generated.deepcopy.go @@ -0,0 +1,10 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package idp diff --git a/generated/1.17/apis/pinniped/v1alpha1/types.go b/generated/1.17/apis/pinniped/v1alpha1/types.go index 0037021e..420f1402 100644 --- a/generated/1.17/apis/pinniped/v1alpha1/types.go +++ b/generated/1.17/apis/pinniped/v1alpha1/types.go @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/generated/1.17/client/clientset/versioned/clientset.go b/generated/1.17/client/clientset/versioned/clientset.go index b383ee3b..3c7fd8a5 100644 --- a/generated/1.17/client/clientset/versioned/clientset.go +++ b/generated/1.17/client/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( "fmt" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" @@ -20,6 +21,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface } @@ -28,6 +30,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client } @@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return c.crdV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return c.pinnipedV1alpha1 @@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) @@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) diff --git a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go index 037f6b27..50fb438f 100644 --- a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( clientset "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1" fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1" fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" @@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake} } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake} diff --git a/generated/1.17/client/clientset/versioned/fake/register.go b/generated/1.17/client/clientset/versioned/fake/register.go index 870a40fc..4aaf5bc0 100644 --- a/generated/1.17/client/clientset/versioned/fake/register.go +++ b/generated/1.17/client/clientset/versioned/fake/register.go @@ -9,6 +9,7 @@ package fake import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.17/client/clientset/versioned/scheme/register.go b/generated/1.17/client/clientset/versioned/scheme/register.go index db9ab47f..0c0f370f 100644 --- a/generated/1.17/client/clientset/versioned/scheme/register.go +++ b/generated/1.17/client/clientset/versioned/scheme/register.go @@ -9,6 +9,7 @@ package scheme import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 00000000..40c99ba8 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 00000000..d51c7ce7 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 00000000..c2218c54 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,29 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface { + return &FakeWebhookIdentityProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go new file mode 100644 index 00000000..d95c4173 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go @@ -0,0 +1,129 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface +type FakeWebhookIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"} + +var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *FakeWebhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *FakeWebhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeWebhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeWebhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeWebhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOptions) + + _, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *FakeWebhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..bd61370a --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type WebhookIdentityProviderExpansion interface{} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 00000000..e1f7eb1e --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + WebhookIdentityProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface { + return newWebhookIdentityProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..ea52e30d --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,180 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "time" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + scheme "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface. +// A group's client should implement this interface. +type WebhookIdentityProvidersGetter interface { + WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface +} + +// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources. +type WebhookIdentityProviderInterface interface { + Create(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) + Update(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) + UpdateStatus(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) + Delete(name string, options *v1.DeleteOptions) error + DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error + Get(name string, options v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error) + List(opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error) + Watch(opts v1.ListOptions) (watch.Interface, error) + Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) + WebhookIdentityProviderExpansion +} + +// webhookIdentityProviders implements WebhookIdentityProviderInterface +type webhookIdentityProviders struct { + client rest.Interface + ns string +} + +// newWebhookIdentityProviders returns a WebhookIdentityProviders +func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders { + return &webhookIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *webhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *webhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.WebhookIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *webhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch() +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Body(webhookIdentityProvider). + Do(). + Into(result) + return +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + Body(webhookIdentityProvider). + Do(). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + +func (c *webhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + SubResource("status"). + Body(webhookIdentityProvider). + Do(). + Into(result) + return +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *webhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + Body(options). + Do(). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *webhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + var timeout time.Duration + if listOptions.TimeoutSeconds != nil { + timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&listOptions, scheme.ParameterCodec). + Timeout(timeout). + Body(options). + Do(). + Error() +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *webhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("webhookidentityproviders"). + SubResource(subresources...). + Name(name). + Body(data). + Do(). + Into(result) + return +} diff --git a/generated/1.17/client/informers/externalversions/factory.go b/generated/1.17/client/informers/externalversions/factory.go index d8dcbc66..334b9895 100644 --- a/generated/1.17/client/informers/externalversions/factory.go +++ b/generated/1.17/client/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( versioned "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned" crdpinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/crdpinniped" + idp "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/idp" internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" pinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/pinniped" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -163,6 +164,7 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Crd() crdpinniped.Interface + IDP() idp.Interface Pinniped() pinniped.Interface } @@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface { return crdpinniped.New(f, f.namespace, f.tweakListOptions) } +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} + func (f *sharedInformerFactory) Pinniped() pinniped.Interface { return pinniped.New(f, f.namespace, f.tweakListOptions) } diff --git a/generated/1.17/client/informers/externalversions/generic.go b/generated/1.17/client/informers/externalversions/generic.go index 2f362503..a1e05321 100644 --- a/generated/1.17/client/informers/externalversions/generic.go +++ b/generated/1.17/client/informers/externalversions/generic.go @@ -11,6 +11,7 @@ import ( "fmt" v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" @@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil + // Group=idp.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil + // Group=pinniped.dev, Version=v1alpha1 case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"): return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil diff --git a/generated/1.17/client/informers/externalversions/idp/interface.go b/generated/1.17/client/informers/externalversions/idp/interface.go new file mode 100644 index 00000000..3fbbb292 --- /dev/null +++ b/generated/1.17/client/informers/externalversions/idp/interface.go @@ -0,0 +1,35 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/idp/v1alpha1" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 00000000..f30b988e --- /dev/null +++ b/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,34 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // WebhookIdentityProviders returns a WebhookIdentityProviderInformer. + WebhookIdentityProviders() WebhookIdentityProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// WebhookIdentityProviders returns a WebhookIdentityProviderInformer. +func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer { + return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..c1b6587e --- /dev/null +++ b/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + time "time" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + versioned "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderInformer provides access to a shared informer and lister for +// WebhookIdentityProviders. +type WebhookIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.WebhookIdentityProviderLister +} + +type webhookIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(options) + }, + }, + &idpv1alpha1.WebhookIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer) +} + +func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister { + return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..61d85cbe --- /dev/null +++ b/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,16 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// WebhookIdentityProviderListerExpansion allows custom methods to be added to +// WebhookIdentityProviderLister. +type WebhookIdentityProviderListerExpansion interface{} + +// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// WebhookIdentityProviderNamespaceLister. +type WebhookIdentityProviderNamespaceListerExpansion interface{} diff --git a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..d7107c00 --- /dev/null +++ b/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,83 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderLister helps list WebhookIdentityProviders. +type WebhookIdentityProviderLister interface { + // List lists all WebhookIdentityProviders in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. + WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister + WebhookIdentityProviderListerExpansion +} + +// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface. +type webhookIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister. +func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister { + return &webhookIdentityProviderLister{indexer: indexer} +} + +// List lists all WebhookIdentityProviders in the indexer. +func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. +func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister { + return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders. +type WebhookIdentityProviderNamespaceLister interface { + // List lists all WebhookIdentityProviders in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.WebhookIdentityProvider, error) + WebhookIdentityProviderNamespaceListerExpansion +} + +// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister +// interface. +type webhookIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all WebhookIdentityProviders in the indexer for a given namespace. +func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. +func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name) + } + return obj.(*v1alpha1.WebhookIdentityProvider), nil +} diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go index 7f3e6439..90cf9920 100644 --- a/generated/1.17/client/openapi/zz_generated.openapi.go +++ b/generated/1.17/client/openapi/zz_generated.openapi.go @@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition": schema_117_apis_idp_v1alpha1_Condition(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec": schema_117_apis_idp_v1alpha1_TLSSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider": schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequest": schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_117_apis_pinniped_v1alpha1_CredentialRequestCredential(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestList": schema_117_apis_pinniped_v1alpha1_CredentialRequestList(ref), @@ -283,11 +289,250 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com } } +func schema_117_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type of condition in CamelCase or in foo.example.com/CamelCase.", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status of the condition, one of True, False, Unknown.", + Type: []string{"string"}, + Format: "", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a human readable message indicating details about the transition. This may be an empty string.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status", "lastTransitionTime", "reason", "message"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_117_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Configuration for configuring TLS on various identity providers.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateAuthorityData": { + SchemaProps: spec.SchemaProps{ + Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status of the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "List of WebhookIdentityProvider objects.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "endpoint": { + SchemaProps: spec.SchemaProps{ + Description: "Webhook server endpoint URL.", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "TLS configuration.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec"), + }, + }, + }, + Required: []string{"endpoint"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec"}, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Status of a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Represents the observations of an identity provider's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition"}, + } +} + func schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { SchemaProps: spec.SchemaProps{ @@ -330,7 +575,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "expirationTimestamp": { SchemaProps: spec.SchemaProps{ @@ -418,7 +664,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ @@ -445,7 +692,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "credential": { SchemaProps: spec.SchemaProps{ @@ -472,7 +720,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "value": { SchemaProps: spec.SchemaProps{ diff --git a/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 00000000..213b7ad2 --- /dev/null +++ b/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 99e78c4a..3e7c5f74 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -6,6 +6,7 @@ .Packages - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$] @@ -95,6 +96,110 @@ Status of a credential issuer. +[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"] +=== idp.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for configuring TLS on various identity providers. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider"] +==== WebhookIdentityProvider + +WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec"] +==== WebhookIdentityProviderSpec + +Spec for configuring a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`endpoint`* __string__ | Webhook server endpoint URL. +| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus"] +==== WebhookIdentityProviderStatus + +Status of a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-pinniped-dev-v1alpha1"] === pinniped.dev/v1alpha1 @@ -105,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequest"] ==== CredentialRequest - +CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. .Appears In: **** @@ -125,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequestcredential"] ==== CredentialRequestCredential - +CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. .Appears In: **** @@ -147,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequestspec"] ==== CredentialRequestSpec - +CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API .Appears In: **** @@ -165,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequeststatus"] ==== CredentialRequestStatus - +CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. .Appears In: **** @@ -183,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequesttokencredential"] ==== CredentialRequestTokenCredential - +CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. .Appears In: **** diff --git a/generated/1.18/apis/idp/doc.go b/generated/1.18/apis/idp/doc.go new file mode 100644 index 00000000..b7689b2b --- /dev/null +++ b/generated/1.18/apis/idp/doc.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/generated/1.18/apis/idp/v1alpha1/conversion.go b/generated/1.18/apis/idp/v1alpha1/conversion.go new file mode 100644 index 00000000..63bc360f --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/conversion.go @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/generated/1.18/apis/idp/v1alpha1/defaults.go b/generated/1.18/apis/idp/v1alpha1/defaults.go new file mode 100644 index 00000000..ba08404d --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/defaults.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.18/apis/idp/v1alpha1/doc.go b/generated/1.18/apis/idp/v1alpha1/doc.go new file mode 100644 index 00000000..a6ef1015 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/doc.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.18/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/generated/1.18/apis/idp/v1alpha1/register.go b/generated/1.18/apis/idp/v1alpha1/register.go new file mode 100644 index 00000000..b7878a21 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.18/apis/idp/v1alpha1/types_meta.go b/generated/1.18/apis/idp/v1alpha1/types_meta.go new file mode 100644 index 00000000..fe4a5c25 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/types_meta.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.18/apis/idp/v1alpha1/types_tls.go b/generated/1.18/apis/idp/v1alpha1/types_tls.go new file mode 100644 index 00000000..64f355e6 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/types_tls.go @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.18/apis/idp/v1alpha1/types_webhook.go b/generated/1.18/apis/idp/v1alpha1/types_webhook.go new file mode 100644 index 00000000..046a16cb --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/types_webhook.go @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..f39942f8 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,24 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + return nil +} diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..29ed1e8e --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,152 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider. +func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider { + if in == nil { + return nil + } + out := new(WebhookIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]WebhookIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList. +func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec. +func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus. +func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..1612aa4d --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,21 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.18/apis/idp/zz_generated.deepcopy.go b/generated/1.18/apis/idp/zz_generated.deepcopy.go new file mode 100644 index 00000000..0869390d --- /dev/null +++ b/generated/1.18/apis/idp/zz_generated.deepcopy.go @@ -0,0 +1,10 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package idp diff --git a/generated/1.18/apis/pinniped/v1alpha1/types.go b/generated/1.18/apis/pinniped/v1alpha1/types.go index 0037021e..420f1402 100644 --- a/generated/1.18/apis/pinniped/v1alpha1/types.go +++ b/generated/1.18/apis/pinniped/v1alpha1/types.go @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/generated/1.18/client/clientset/versioned/clientset.go b/generated/1.18/client/clientset/versioned/clientset.go index eea8d727..0ba43fa0 100644 --- a/generated/1.18/client/clientset/versioned/clientset.go +++ b/generated/1.18/client/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( "fmt" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" @@ -20,6 +21,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface } @@ -28,6 +30,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client } @@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return c.crdV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return c.pinnipedV1alpha1 @@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) @@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) diff --git a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go index 2d456ffb..d5f54f63 100644 --- a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( clientset "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1" fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1" fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" @@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake} } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake} diff --git a/generated/1.18/client/clientset/versioned/fake/register.go b/generated/1.18/client/clientset/versioned/fake/register.go index a247e760..d18a2f51 100644 --- a/generated/1.18/client/clientset/versioned/fake/register.go +++ b/generated/1.18/client/clientset/versioned/fake/register.go @@ -9,6 +9,7 @@ package fake import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.18/client/clientset/versioned/scheme/register.go b/generated/1.18/client/clientset/versioned/scheme/register.go index 41b989c8..988170d1 100644 --- a/generated/1.18/client/clientset/versioned/scheme/register.go +++ b/generated/1.18/client/clientset/versioned/scheme/register.go @@ -9,6 +9,7 @@ package scheme import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 00000000..40c99ba8 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 00000000..d51c7ce7 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 00000000..23485990 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,29 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface { + return &FakeWebhookIdentityProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go new file mode 100644 index 00000000..828d3501 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go @@ -0,0 +1,131 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface +type FakeWebhookIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"} + +var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..bd61370a --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type WebhookIdentityProviderExpansion interface{} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 00000000..eebbf121 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + WebhookIdentityProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface { + return newWebhookIdentityProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..8d6c2f50 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,184 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + scheme "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface. +// A group's client should implement this interface. +type WebhookIdentityProvidersGetter interface { + WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface +} + +// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources. +type WebhookIdentityProviderInterface interface { + Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) + WebhookIdentityProviderExpansion +} + +// webhookIdentityProviders implements WebhookIdentityProviderInterface +type webhookIdentityProviders struct { + client rest.Interface + ns string +} + +// newWebhookIdentityProviders returns a WebhookIdentityProviders +func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders { + return &webhookIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.WebhookIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.18/client/informers/externalversions/factory.go b/generated/1.18/client/informers/externalversions/factory.go index 4158afea..95d174a7 100644 --- a/generated/1.18/client/informers/externalversions/factory.go +++ b/generated/1.18/client/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( versioned "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned" crdpinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/crdpinniped" + idp "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/idp" internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" pinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/pinniped" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -163,6 +164,7 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Crd() crdpinniped.Interface + IDP() idp.Interface Pinniped() pinniped.Interface } @@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface { return crdpinniped.New(f, f.namespace, f.tweakListOptions) } +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} + func (f *sharedInformerFactory) Pinniped() pinniped.Interface { return pinniped.New(f, f.namespace, f.tweakListOptions) } diff --git a/generated/1.18/client/informers/externalversions/generic.go b/generated/1.18/client/informers/externalversions/generic.go index e2db3b46..5d8fa30f 100644 --- a/generated/1.18/client/informers/externalversions/generic.go +++ b/generated/1.18/client/informers/externalversions/generic.go @@ -11,6 +11,7 @@ import ( "fmt" v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" @@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil + // Group=idp.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil + // Group=pinniped.dev, Version=v1alpha1 case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"): return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil diff --git a/generated/1.18/client/informers/externalversions/idp/interface.go b/generated/1.18/client/informers/externalversions/idp/interface.go new file mode 100644 index 00000000..ce170198 --- /dev/null +++ b/generated/1.18/client/informers/externalversions/idp/interface.go @@ -0,0 +1,35 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/idp/v1alpha1" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 00000000..f8bdc576 --- /dev/null +++ b/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,34 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // WebhookIdentityProviders returns a WebhookIdentityProviderInformer. + WebhookIdentityProviders() WebhookIdentityProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// WebhookIdentityProviders returns a WebhookIdentityProviderInformer. +func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer { + return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..609951db --- /dev/null +++ b/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,79 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + versioned "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderInformer provides access to a shared informer and lister for +// WebhookIdentityProviders. +type WebhookIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.WebhookIdentityProviderLister +} + +type webhookIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.WebhookIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer) +} + +func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister { + return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..61d85cbe --- /dev/null +++ b/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,16 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// WebhookIdentityProviderListerExpansion allows custom methods to be added to +// WebhookIdentityProviderLister. +type WebhookIdentityProviderListerExpansion interface{} + +// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// WebhookIdentityProviderNamespaceLister. +type WebhookIdentityProviderNamespaceListerExpansion interface{} diff --git a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..6014a7b3 --- /dev/null +++ b/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,83 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderLister helps list WebhookIdentityProviders. +type WebhookIdentityProviderLister interface { + // List lists all WebhookIdentityProviders in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. + WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister + WebhookIdentityProviderListerExpansion +} + +// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface. +type webhookIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister. +func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister { + return &webhookIdentityProviderLister{indexer: indexer} +} + +// List lists all WebhookIdentityProviders in the indexer. +func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. +func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister { + return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders. +type WebhookIdentityProviderNamespaceLister interface { + // List lists all WebhookIdentityProviders in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.WebhookIdentityProvider, error) + WebhookIdentityProviderNamespaceListerExpansion +} + +// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister +// interface. +type webhookIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all WebhookIdentityProviders in the indexer for a given namespace. +func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. +func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name) + } + return obj.(*v1alpha1.WebhookIdentityProvider), nil +} diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go index 564319af..522c1543 100644 --- a/generated/1.18/client/openapi/zz_generated.openapi.go +++ b/generated/1.18/client/openapi/zz_generated.openapi.go @@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition": schema_118_apis_idp_v1alpha1_Condition(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec": schema_118_apis_idp_v1alpha1_TLSSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider": schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequest": schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_118_apis_pinniped_v1alpha1_CredentialRequestCredential(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestList": schema_118_apis_pinniped_v1alpha1_CredentialRequestList(ref), @@ -283,11 +289,250 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com } } +func schema_118_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type of condition in CamelCase or in foo.example.com/CamelCase.", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status of the condition, one of True, False, Unknown.", + Type: []string{"string"}, + Format: "", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a human readable message indicating details about the transition. This may be an empty string.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status", "lastTransitionTime", "reason", "message"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_118_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Configuration for configuring TLS on various identity providers.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateAuthorityData": { + SchemaProps: spec.SchemaProps{ + Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status of the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "List of WebhookIdentityProvider objects.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "endpoint": { + SchemaProps: spec.SchemaProps{ + Description: "Webhook server endpoint URL.", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "TLS configuration.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec"), + }, + }, + }, + Required: []string{"endpoint"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec"}, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Status of a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Represents the observations of an identity provider's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition"}, + } +} + func schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { SchemaProps: spec.SchemaProps{ @@ -330,7 +575,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "expirationTimestamp": { SchemaProps: spec.SchemaProps{ @@ -418,7 +664,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ @@ -445,7 +692,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "credential": { SchemaProps: spec.SchemaProps{ @@ -472,7 +720,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "value": { SchemaProps: spec.SchemaProps{ diff --git a/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 00000000..213b7ad2 --- /dev/null +++ b/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 57d176cc..72376595 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -6,6 +6,7 @@ .Packages - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$] @@ -95,6 +96,110 @@ Status of a credential issuer. +[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"] +=== idp.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for configuring TLS on various identity providers. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider"] +==== WebhookIdentityProvider + +WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec"] +==== WebhookIdentityProviderSpec + +Spec for configuring a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`endpoint`* __string__ | Webhook server endpoint URL. +| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus"] +==== WebhookIdentityProviderStatus + +Status of a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-pinniped-dev-v1alpha1"] === pinniped.dev/v1alpha1 @@ -105,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequest"] ==== CredentialRequest - +CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. .Appears In: **** @@ -125,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequestcredential"] ==== CredentialRequestCredential - +CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. .Appears In: **** @@ -147,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequestspec"] ==== CredentialRequestSpec - +CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API .Appears In: **** @@ -165,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequeststatus"] ==== CredentialRequestStatus - +CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. .Appears In: **** @@ -183,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequesttokencredential"] ==== CredentialRequestTokenCredential - +CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. .Appears In: **** diff --git a/generated/1.19/apis/idp/doc.go b/generated/1.19/apis/idp/doc.go new file mode 100644 index 00000000..b7689b2b --- /dev/null +++ b/generated/1.19/apis/idp/doc.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/generated/1.19/apis/idp/v1alpha1/conversion.go b/generated/1.19/apis/idp/v1alpha1/conversion.go new file mode 100644 index 00000000..63bc360f --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/conversion.go @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/generated/1.19/apis/idp/v1alpha1/defaults.go b/generated/1.19/apis/idp/v1alpha1/defaults.go new file mode 100644 index 00000000..ba08404d --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/defaults.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.19/apis/idp/v1alpha1/doc.go b/generated/1.19/apis/idp/v1alpha1/doc.go new file mode 100644 index 00000000..183dd735 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/doc.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.19/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/generated/1.19/apis/idp/v1alpha1/register.go b/generated/1.19/apis/idp/v1alpha1/register.go new file mode 100644 index 00000000..b7878a21 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.19/apis/idp/v1alpha1/types_meta.go b/generated/1.19/apis/idp/v1alpha1/types_meta.go new file mode 100644 index 00000000..fe4a5c25 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/types_meta.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.19/apis/idp/v1alpha1/types_tls.go b/generated/1.19/apis/idp/v1alpha1/types_tls.go new file mode 100644 index 00000000..64f355e6 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/types_tls.go @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.19/apis/idp/v1alpha1/types_webhook.go b/generated/1.19/apis/idp/v1alpha1/types_webhook.go new file mode 100644 index 00000000..046a16cb --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/types_webhook.go @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go new file mode 100644 index 00000000..1131cdff --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,66 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*Condition)(nil), (*v1.Condition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_Condition_To_v1_Condition(a.(*Condition), b.(*v1.Condition), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*v1.Condition)(nil), (*Condition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_Condition_To_v1alpha1_Condition(a.(*v1.Condition), b.(*Condition), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_Condition_To_v1_Condition(in *Condition, out *v1.Condition, s conversion.Scope) error { + out.Type = in.Type + out.Status = v1.ConditionStatus(in.Status) + out.ObservedGeneration = in.ObservedGeneration + out.LastTransitionTime = in.LastTransitionTime + out.Reason = in.Reason + out.Message = in.Message + return nil +} + +// Convert_v1alpha1_Condition_To_v1_Condition is an autogenerated conversion function. +func Convert_v1alpha1_Condition_To_v1_Condition(in *Condition, out *v1.Condition, s conversion.Scope) error { + return autoConvert_v1alpha1_Condition_To_v1_Condition(in, out, s) +} + +func autoConvert_v1_Condition_To_v1alpha1_Condition(in *v1.Condition, out *Condition, s conversion.Scope) error { + out.Type = in.Type + out.Status = ConditionStatus(in.Status) + out.ObservedGeneration = in.ObservedGeneration + out.LastTransitionTime = in.LastTransitionTime + out.Reason = in.Reason + out.Message = in.Message + return nil +} + +// Convert_v1_Condition_To_v1alpha1_Condition is an autogenerated conversion function. +func Convert_v1_Condition_To_v1alpha1_Condition(in *v1.Condition, out *Condition, s conversion.Scope) error { + return autoConvert_v1_Condition_To_v1alpha1_Condition(in, out, s) +} diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..29ed1e8e --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,152 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider. +func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider { + if in == nil { + return nil + } + out := new(WebhookIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]WebhookIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList. +func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec. +func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus. +func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go new file mode 100644 index 00000000..1612aa4d --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,21 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.19/apis/idp/zz_generated.deepcopy.go b/generated/1.19/apis/idp/zz_generated.deepcopy.go new file mode 100644 index 00000000..0869390d --- /dev/null +++ b/generated/1.19/apis/idp/zz_generated.deepcopy.go @@ -0,0 +1,10 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package idp diff --git a/generated/1.19/apis/pinniped/v1alpha1/types.go b/generated/1.19/apis/pinniped/v1alpha1/types.go index 0037021e..420f1402 100644 --- a/generated/1.19/apis/pinniped/v1alpha1/types.go +++ b/generated/1.19/apis/pinniped/v1alpha1/types.go @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/generated/1.19/client/clientset/versioned/clientset.go b/generated/1.19/client/clientset/versioned/clientset.go index a5a23ff3..98dfba50 100644 --- a/generated/1.19/client/clientset/versioned/clientset.go +++ b/generated/1.19/client/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( "fmt" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" @@ -20,6 +21,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface } @@ -28,6 +30,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client } @@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return c.crdV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return c.pinnipedV1alpha1 @@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) @@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) diff --git a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go index 00669ec4..fd85bb1b 100644 --- a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( clientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1" fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1" fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" @@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake} } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake} diff --git a/generated/1.19/client/clientset/versioned/fake/register.go b/generated/1.19/client/clientset/versioned/fake/register.go index ce878f5f..b127ef49 100644 --- a/generated/1.19/client/clientset/versioned/fake/register.go +++ b/generated/1.19/client/clientset/versioned/fake/register.go @@ -9,6 +9,7 @@ package fake import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.19/client/clientset/versioned/scheme/register.go b/generated/1.19/client/clientset/versioned/scheme/register.go index 02388b09..16bd8ac6 100644 --- a/generated/1.19/client/clientset/versioned/scheme/register.go +++ b/generated/1.19/client/clientset/versioned/scheme/register.go @@ -9,6 +9,7 @@ package scheme import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 00000000..40c99ba8 --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 00000000..d51c7ce7 --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 00000000..de3b2613 --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,29 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface { + return &FakeWebhookIdentityProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go new file mode 100644 index 00000000..9358c9f0 --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go @@ -0,0 +1,131 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface +type FakeWebhookIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"} + +var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..bd61370a --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type WebhookIdentityProviderExpansion interface{} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 00000000..6edbb29b --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + WebhookIdentityProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface { + return newWebhookIdentityProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..4c4e2c7c --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,184 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + scheme "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface. +// A group's client should implement this interface. +type WebhookIdentityProvidersGetter interface { + WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface +} + +// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources. +type WebhookIdentityProviderInterface interface { + Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) + WebhookIdentityProviderExpansion +} + +// webhookIdentityProviders implements WebhookIdentityProviderInterface +type webhookIdentityProviders struct { + client rest.Interface + ns string +} + +// newWebhookIdentityProviders returns a WebhookIdentityProviders +func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders { + return &webhookIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.WebhookIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.19/client/informers/externalversions/factory.go b/generated/1.19/client/informers/externalversions/factory.go index 40ea7aae..b32ab8cd 100644 --- a/generated/1.19/client/informers/externalversions/factory.go +++ b/generated/1.19/client/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( versioned "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" crdpinniped "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/crdpinniped" + idp "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp" internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" pinniped "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/pinniped" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -163,6 +164,7 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Crd() crdpinniped.Interface + IDP() idp.Interface Pinniped() pinniped.Interface } @@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface { return crdpinniped.New(f, f.namespace, f.tweakListOptions) } +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} + func (f *sharedInformerFactory) Pinniped() pinniped.Interface { return pinniped.New(f, f.namespace, f.tweakListOptions) } diff --git a/generated/1.19/client/informers/externalversions/generic.go b/generated/1.19/client/informers/externalversions/generic.go index 698ab80d..a112ff40 100644 --- a/generated/1.19/client/informers/externalversions/generic.go +++ b/generated/1.19/client/informers/externalversions/generic.go @@ -11,6 +11,7 @@ import ( "fmt" v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" @@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil + // Group=idp.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil + // Group=pinniped.dev, Version=v1alpha1 case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"): return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil diff --git a/generated/1.19/client/informers/externalversions/idp/interface.go b/generated/1.19/client/informers/externalversions/idp/interface.go new file mode 100644 index 00000000..206b43f5 --- /dev/null +++ b/generated/1.19/client/informers/externalversions/idp/interface.go @@ -0,0 +1,35 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp/v1alpha1" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 00000000..3927d66f --- /dev/null +++ b/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,34 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // WebhookIdentityProviders returns a WebhookIdentityProviderInformer. + WebhookIdentityProviders() WebhookIdentityProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// WebhookIdentityProviders returns a WebhookIdentityProviderInformer. +func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer { + return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..65df5620 --- /dev/null +++ b/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,79 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + versioned "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderInformer provides access to a shared informer and lister for +// WebhookIdentityProviders. +type WebhookIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.WebhookIdentityProviderLister +} + +type webhookIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.WebhookIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer) +} + +func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister { + return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..61d85cbe --- /dev/null +++ b/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,16 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// WebhookIdentityProviderListerExpansion allows custom methods to be added to +// WebhookIdentityProviderLister. +type WebhookIdentityProviderListerExpansion interface{} + +// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// WebhookIdentityProviderNamespaceLister. +type WebhookIdentityProviderNamespaceListerExpansion interface{} diff --git a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 00000000..53101588 --- /dev/null +++ b/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,88 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderLister helps list WebhookIdentityProviders. +// All objects returned here must be treated as read-only. +type WebhookIdentityProviderLister interface { + // List lists all WebhookIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. + WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister + WebhookIdentityProviderListerExpansion +} + +// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface. +type webhookIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister. +func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister { + return &webhookIdentityProviderLister{indexer: indexer} +} + +// List lists all WebhookIdentityProviders in the indexer. +func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. +func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister { + return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders. +// All objects returned here must be treated as read-only. +type WebhookIdentityProviderNamespaceLister interface { + // List lists all WebhookIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.WebhookIdentityProvider, error) + WebhookIdentityProviderNamespaceListerExpansion +} + +// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister +// interface. +type webhookIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all WebhookIdentityProviders in the indexer for a given namespace. +func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. +func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name) + } + return obj.(*v1alpha1.WebhookIdentityProvider), nil +} diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go index 2b066cbf..55f7d42a 100644 --- a/generated/1.19/client/openapi/zz_generated.openapi.go +++ b/generated/1.19/client/openapi/zz_generated.openapi.go @@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.Condition": schema_119_apis_idp_v1alpha1_Condition(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.TLSSpec": schema_119_apis_idp_v1alpha1_TLSSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider": schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_119_apis_idp_v1alpha1_WebhookIdentityProviderList(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_119_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_119_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1.CredentialRequest": schema_119_apis_pinniped_v1alpha1_CredentialRequest(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_119_apis_pinniped_v1alpha1_CredentialRequestCredential(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1.CredentialRequestList": schema_119_apis_pinniped_v1alpha1_CredentialRequestList(ref), @@ -284,11 +290,250 @@ func schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com } } +func schema_119_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type of condition in CamelCase or in foo.example.com/CamelCase.", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status of the condition, one of True, False, Unknown.", + Type: []string{"string"}, + Format: "", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a human readable message indicating details about the transition. This may be an empty string.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status", "lastTransitionTime", "reason", "message"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_119_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Configuration for configuring TLS on various identity providers.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateAuthorityData": { + SchemaProps: spec.SchemaProps{ + Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status of the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "List of WebhookIdentityProvider objects.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "endpoint": { + SchemaProps: spec.SchemaProps{ + Description: "Webhook server endpoint URL.", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "TLS configuration.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.TLSSpec"), + }, + }, + }, + Required: []string{"endpoint"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.TLSSpec"}, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Status of a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Represents the observations of an identity provider's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.Condition"}, + } +} + func schema_119_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { SchemaProps: spec.SchemaProps{ @@ -331,7 +576,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "expirationTimestamp": { SchemaProps: spec.SchemaProps{ @@ -419,7 +665,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ @@ -446,7 +693,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "credential": { SchemaProps: spec.SchemaProps{ @@ -473,7 +721,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "value": { SchemaProps: spec.SchemaProps{ diff --git a/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 00000000..213b7ad2 --- /dev/null +++ b/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/go.mod b/go.mod index 246020d6..d5d284a4 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,11 @@ module github.com/suzerain-io/pinniped go 1.14 require ( + github.com/MakeNowJust/heredoc/v2 v2.0.1 github.com/davecgh/go-spew v1.1.1 + github.com/ghodss/yaml v1.0.0 github.com/go-logr/logr v0.2.1 + github.com/go-logr/stdr v0.2.0 github.com/golang/mock v1.4.4 github.com/golangci/golangci-lint v1.31.0 github.com/google/go-cmp v0.5.2 diff --git a/go.sum b/go.sum index fb22470c..5eea03fa 100644 --- a/go.sum +++ b/go.sum @@ -36,6 +36,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/Djarvur/go-err113 v0.0.0-20200511133814-5174e21577d5 h1:XTrzB+F8+SpRmbhAH8HLxhiiG6nYNwaBZjrFps1oWEk= github.com/Djarvur/go-err113 v0.0.0-20200511133814-5174e21577d5/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= +github.com/MakeNowJust/heredoc/v2 v2.0.1 h1:rlCHh70XXXv7toz95ajQWOWQnN4WNLt0TdpZYIR/J6A= +github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 h1:lsxEuwrXEAokXB9qhlbKWPpo3KMLZQ5WB5WLQRW1uq0= @@ -98,8 +100,6 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/daixiang0/gci v0.0.0-20200727065011-66f1df783cb2 h1:3Lhhps85OdA8ezsEKu+IA1hE+DBTjt/fjd7xNCrHbVA= -github.com/daixiang0/gci v0.0.0-20200727065011-66f1df783cb2/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4= github.com/daixiang0/gci v0.2.4 h1:BUCKk5nlK2m+kRIsoj+wb/5hazHvHeZieBKWd9Afa8Q= github.com/daixiang0/gci v0.2.4/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -132,16 +132,14 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-critic/go-critic v0.5.0 h1:Ic2p5UCl5fX/2WX2w8nroPpPhxRNsNTMlJzsu/uqwnM= -github.com/go-critic/go-critic v0.5.0/go.mod h1:4jeRh3ZAVnRYhuWdOEvwzVqLUpxMSoAT0xZ74JsTPlo= github.com/go-critic/go-critic v0.5.2 h1:3RJdgf6u4NZUumoP8nzbqiiNT8e1tC2Oc7jlgqre/IA= github.com/go-critic/go-critic v0.5.2/go.mod h1:cc0+HvdE3lFpqLecgqMaJcvWWH77sLdBp+wLGPM1Yyo= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-lintpack/lintpack v0.5.2/go.mod h1:NwZuYi2nUHho8XEIZ6SIxihrnPoqBTDqfpXvXAN0sXM= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= @@ -149,6 +147,8 @@ github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v0.2.1 h1:fV3MLmabKIZ383XifUjFSwcoGee0v9qgPp8wy5svibE= github.com/go-logr/logr v0.2.1/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/stdr v0.2.0 h1:EuTFw3BCZ6H/+1VNFlOLVK/sPKwmGMLx8/FTOFWuXpU= +github.com/go-logr/stdr v0.2.0/go.mod h1:NO1vneyJDqKVgJYnxhwXWWmQPOvNM391IG3H8ql3jiA= github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8= github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= @@ -175,17 +175,13 @@ github.com/go-toolsmith/astcast v1.0.0 h1:JojxlmI6STnFVG9yOImLeGREv8W2ocNUM+iOhR github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= github.com/go-toolsmith/astcopy v1.0.0 h1:OMgl1b1MEpjFQ1m5ztEO06rz5CUd3oBv9RF7+DyvdG8= github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= -github.com/go-toolsmith/astequal v0.0.0-20180903214952-dcb477bfacd6/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= github.com/go-toolsmith/astequal v1.0.0 h1:4zxD8j3JRFNyLN46lodQuqz3xdKSrur7U/sr0SDS/gQ= github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= -github.com/go-toolsmith/astfmt v0.0.0-20180903215011-8f8ee99c3086/go.mod h1:mP93XdblcopXwlyN4X4uodxXQhldPGZbcEJIimQHrkg= github.com/go-toolsmith/astfmt v1.0.0 h1:A0vDDXt+vsvLEdbMFJAUBI/uTbRw1ffOPnxsILnFL6k= github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw= github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU= -github.com/go-toolsmith/astp v0.0.0-20180903215135-0af7e3c24f30/go.mod h1:SV2ur98SGypH1UjcPpCatrV5hPazG6+IfNHbkDXBRrk= github.com/go-toolsmith/astp v1.0.0 h1:alXE75TXgcmupDsMK1fRAy0YUzLzqPVvBKoyWV+KPXg= github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI= -github.com/go-toolsmith/pkgload v0.0.0-20181119091011-e9e65178eee8/go.mod h1:WoMrjiy4zvdS+Bg6z9jZH82QXwkcgCBX6nOfnmdaHks= github.com/go-toolsmith/pkgload v1.0.0 h1:4DFWWMXVfbcN5So1sBNW9+yeiMqLFGl1wFLTL5R0Tgg= github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc= github.com/go-toolsmith/strparse v1.0.0 h1:Vcw78DnpCAKlM20kSbAyO4mPfJn/lyYA4BJUDxe2Jb4= @@ -197,8 +193,6 @@ github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/gofrs/flock v0.7.1 h1:DP+LD/t0njgoPBvT5MJLeliUIVQR03hiKR6vezdwHlc= -github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/flock v0.8.0 h1:MSdYClljsF3PbENUUEx85nkWfJSGfzYI9yEBZOJz6CY= github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -244,8 +238,6 @@ github.com/golangci/gocyclo v0.0.0-20180528144436-0a533e8fa43d h1:pXTK/gkVNs7Zyy github.com/golangci/gocyclo v0.0.0-20180528144436-0a533e8fa43d/go.mod h1:ozx7R9SIwqmqf5pRP90DhR2Oay2UIjGuKheCBCNwAYU= github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a h1:iR3fYXUjHCR97qWS8ch1y9zPNsgXThGwjKPrYfqMPks= github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= -github.com/golangci/golangci-lint v1.30.0 h1:UhdK5WbO0GBd7W+k2lOD7BEJH4Wsa7zKfw8m3/aEJGQ= -github.com/golangci/golangci-lint v1.30.0/go.mod h1:5t0i3wHlqQc9deBBvZsP+a/4xz7cfjV+zhp5U0Mzp14= github.com/golangci/golangci-lint v1.31.0 h1:+m9I3LEmxXLpymkXRPkDQGzOVBmBYm16UtDiXqZxWek= github.com/golangci/golangci-lint v1.31.0/go.mod h1:aMQuNCA+NDU5+4jLL5pEuFHoue0IznKE2+/GsFvvs8A= github.com/golangci/ineffassign v0.0.0-20190609212857-42439a7714cc h1:gLLhTLMk2/SutryVJ6D4VZCU3CUqr8YloG7FPIBWFpI= @@ -358,8 +350,6 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.10.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/compress v1.10.5/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.10.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -436,8 +426,6 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d h1:AREM5mwr4u1 github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nishanths/exhaustive v0.0.0-20200708172631-8866003e3856 h1:W3KBC2LFyfgd+wNudlfgCCsTo4q97MeNWrfz8/wSdSc= -github.com/nishanths/exhaustive v0.0.0-20200708172631-8866003e3856/go.mod h1:wBEpHwM2OdmeNpdCvRPUlkEbBuaFmcK4Wv8Q7FuGW3c= github.com/nishanths/exhaustive v0.0.0-20200811152831-6cf413ae40e0 h1:eMV1t2NQRc3r1k3guWiv/zEeqZZP6kPvpUfy6byfL1g= github.com/nishanths/exhaustive v0.0.0-20200811152831-6cf413ae40e0/go.mod h1:wBEpHwM2OdmeNpdCvRPUlkEbBuaFmcK4Wv8Q7FuGW3c= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= @@ -492,8 +480,6 @@ github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFB github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= -github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8 h1:DvnesvLtRPQOvaUbfXfh0tpMHg29by0H7F2U+QIkSu8= -github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8/go.mod h1:CGFX09Ci3pq9QZdj86B+VGIdNj4VyCo2iPOGS9esB/k= github.com/quasilyte/go-ruleguard v0.2.0 h1:UOVMyH2EKkxIfzrULvA9n/tO+HtEhqD9mrLSWMr5FwU= github.com/quasilyte/go-ruleguard v0.2.0/go.mod h1:2RT/tf0Ce0UDj5y243iWKosQogJd8+1G3Rs2fxmlYnw= github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95 h1:L8QM9bvf68pVdQ3bCFZMDmnt9yqcMBro1pC7F+IPYMY= @@ -534,8 +520,6 @@ github.com/soheilhy/cmux v0.1.4 h1:0HKaf1o97UwFjHH9o5XsHUOF+tqmdA7KEzXLpiyaw0E= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sonatard/noctx v0.0.1 h1:VC1Qhl6Oxx9vvWo3UDgrGXYCeKCe3Wbw7qAWL6FrmTY= github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= -github.com/sourcegraph/go-diff v0.5.3 h1:lhIKJ2nXLZZ+AfbHpYxTn0pXpNTTui0DX7DO3xeb1Zs= -github.com/sourcegraph/go-diff v0.5.3/go.mod h1:v9JDtjCE4HHHCZGId75rg8gkKKa98RVjBcBGsVmMmak= github.com/sourcegraph/go-diff v0.6.0 h1:WbN9e/jD8ujU+o0vd9IFN5AEwtfB0rn/zM/AANaClqQ= github.com/sourcegraph/go-diff v0.6.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -555,12 +539,8 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/spf13/viper v1.7.0 h1:xVKxvI7ouOI5I+U9s2eeiUfMaWBVoXA3AWskkrqK0VM= -github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk= github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/ssgreg/nlreturn/v2 v2.0.1 h1:+lm6xFjVuNw/9t/Fh5sIwfNWefiD5bddzc6vwJ1TvRI= -github.com/ssgreg/nlreturn/v2 v2.0.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/ssgreg/nlreturn/v2 v2.1.0 h1:6/s4Rc49L6Uo6RLjhWZGBpWWjfzk2yrf1nIW8m4wgVA= github.com/ssgreg/nlreturn/v2 v2.1.0/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -587,8 +567,6 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa h1:RC4maTWLKKwb7p1cnoygsbKIgNlJqSYBeAFON3Ar8As= github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ultraware/funlen v0.0.2 h1:Av96YVBwwNSe4MLR7iI/BIa3VyI7/djnto/pK3Uxbdo= -github.com/ultraware/funlen v0.0.2/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/funlen v0.0.3 h1:5ylVWm8wsNwH5aWo9438pwvsK0QiqVuUrt9bn7S/iLA= github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/whitespace v0.0.4 h1:If7Va4cM03mpgrNH9k49/VOicWpGoG70XPBFFODYDsg= @@ -597,9 +575,7 @@ github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb github.com/uudashr/gocognit v1.0.1 h1:MoG2fZ0b/Eo7NXoIwCVFLG5JED3qgQz5/NEE+rOsjPs= github.com/uudashr/gocognit v1.0.1/go.mod h1:j44Ayx2KW4+oB6SWMv8KsmHzZrOInQav7D3cQMJ5JUM= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.12.0/go.mod h1:229t1eWu9UXTPmoUkbpN/fctKPBY4IJoFXQnxHGXy6E= github.com/valyala/fasthttp v1.15.1/go.mod h1:YOKImeEosDdBPnxc0gy7INqi3m1zK6A+xl6TwOBhHCA= -github.com/valyala/quicktemplate v1.5.1/go.mod h1:v7yYWpBEiutDyNfVaph6oC/yKwejzVyTX/2cwwHxyok= github.com/valyala/quicktemplate v1.6.2/go.mod h1:mtEJpQtUiBV0SHhMX6RtiJtqxncgrfmjcUy5T68X8TM= github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= @@ -749,7 +725,6 @@ golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181117154741-2ddaf7f79a09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190221204921-83362c3779f5/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -762,7 +737,6 @@ golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190521203540-521d6ed310dd/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= @@ -881,8 +855,6 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.19.0 h1:XyrFIJqTYZJ2DU7FBE/bSPz7b1HvbVBuBf07oeo6eTc= @@ -925,5 +897,3 @@ sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4 h1:JPJh2pk3+X4lXAkZIk2RuE/7/FoK9maXw+TNPJhVS/c= -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= diff --git a/hack/lib/docs/config.yaml b/hack/lib/docs/config.yaml index 9ecc75a2..2a01e07c 100644 --- a/hack/lib/docs/config.yaml +++ b/hack/lib/docs/config.yaml @@ -4,6 +4,7 @@ processor: # Ignore internal API versions ignoreGroupVersions: - "crd.pinniped.dev/crdpinniped" + - "idp.pinniped.dev/idp" - "pinniped.dev/pinniped" ignoreFields: - "TypeMeta$" diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh index baba076b..cb687880 100755 --- a/hack/lib/update-codegen.sh +++ b/hack/lib/update-codegen.sh @@ -121,7 +121,7 @@ echo "generating API-related code for our internal API groups..." "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "pinniped:v1alpha1 crdpinniped:v1alpha1" \ + "pinniped:v1alpha1 crdpinniped:v1alpha1 idp:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-int-api > |" ) @@ -136,7 +136,7 @@ echo "generating client code for our public API groups..." client,lister,informer \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "pinniped:v1alpha1 crdpinniped:v1alpha1" \ + "pinniped:v1alpha1 crdpinniped:v1alpha1 idp:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-client > |" ) @@ -155,5 +155,6 @@ crd-ref-docs \ # Generate CRD YAML (cd apis && - controller-gen paths=./crdpinniped/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds + controller-gen paths=./crdpinniped/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds && + controller-gen paths=./idp/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds ) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index d68fb6eb..9cc8c3b6 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -88,6 +88,12 @@ check_dependency kapp "Please install kapp. e.g. 'brew tap k14s/tap && brew inst check_dependency kubectl "Please install kubectl. e.g. 'brew install kubectl' for MacOS" check_dependency htpasswd "Please install htpasswd. Should be pre-installed on MacOS. Usually found in 'apache2-utils' package for linux." +# Require kubectl >= 1.18.x +if [ "$(kubectl version --client=true --short | cut -d '.' -f 2)" -lt 18 ]; then + echo "kubectl >= 1.18.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)" + exit 1 +fi + # # Setup kind and build the app # @@ -189,7 +195,6 @@ ytt --file . \ --data-value "webhook_ca_bundle=$webhook_ca_bundle" \ --data-value "discovery_url=$discovery_url" >"$manifest" -kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest" popd >/dev/null diff --git a/hack/update.sh b/hack/update.sh index 00c15ae7..ebf7280f 100755 --- a/hack/update.sh +++ b/hack/update.sh @@ -8,5 +8,5 @@ set -euo pipefail ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" xargs "$ROOT/hack/lib/update-codegen.sh" < "${ROOT}/hack/lib/kube-versions.txt" -cp "$ROOT/generated/1.19/crds/crd.pinniped.dev_credentialissuerconfigs.yaml" "$ROOT/deploy/crd.yaml" +cp "$ROOT/generated/1.19/crds/"*.yaml "$ROOT/deploy/" "$ROOT/hack/module.sh" tidy diff --git a/internal/apiserver/apiserver.go b/internal/apiserver/apiserver.go index 8d96de53..bf411d62 100644 --- a/internal/apiserver/apiserver.go +++ b/internal/apiserver/apiserver.go @@ -57,7 +57,7 @@ type Config struct { } type ExtraConfig struct { - Webhook authenticator.Token + TokenAuthenticator authenticator.Token Issuer credentialrequest.CertIssuer StartControllersPostStartHook func(ctx context.Context) } @@ -111,7 +111,7 @@ func (c completedConfig) New() (*PinnipedServer, error) { NegotiatedSerializer: Codecs, } - credentialRequestStorage := credentialrequest.NewREST(c.ExtraConfig.Webhook, c.ExtraConfig.Issuer) + credentialRequestStorage := credentialrequest.NewREST(c.ExtraConfig.TokenAuthenticator, c.ExtraConfig.Issuer) v1alpha1Storage, ok := apiGroupInfo.VersionedResourcesStorageMap[gvr.Version] if !ok { diff --git a/internal/client/client_test.go b/internal/client/client_test.go index 30b1b795..b932d1f7 100644 --- a/internal/client/client_test.go +++ b/internal/client/client_test.go @@ -8,10 +8,8 @@ package client import ( "context" "encoding/json" - "encoding/pem" "io/ioutil" "net/http" - "net/http/httptest" "testing" "time" @@ -20,20 +18,9 @@ import ( clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" + "github.com/suzerain-io/pinniped/internal/testutil" ) -func startTestServer(t *testing.T, handler http.HandlerFunc) (string, string) { - t.Helper() - server := httptest.NewTLSServer(handler) - t.Cleanup(server.Close) - - caBundle := string(pem.EncodeToMemory(&pem.Block{ - Type: "CERTIFICATE", - Bytes: server.TLS.Certificates[0].Certificate[0], - })) - return caBundle, server.URL -} - func TestExchangeToken(t *testing.T) { t.Parallel() ctx := context.Background() @@ -48,7 +35,7 @@ func TestExchangeToken(t *testing.T) { t.Run("server error", func(t *testing.T) { t.Parallel() // Start a test server that returns only 500 errors. - caBundle, endpoint := startTestServer(t, func(w http.ResponseWriter, r *http.Request) { + caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusInternalServerError) _, _ = w.Write([]byte("some server error")) }) @@ -62,7 +49,7 @@ func TestExchangeToken(t *testing.T) { t.Parallel() // Start a test server that returns success but with an error message errorMessage := "some login failure" - caBundle, endpoint := startTestServer(t, func(w http.ResponseWriter, r *http.Request) { + caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { w.Header().Set("content-type", "application/json") _ = json.NewEncoder(w).Encode(&v1alpha1.CredentialRequest{ TypeMeta: metav1.TypeMeta{APIVersion: "pinniped.dev/v1alpha1", Kind: "CredentialRequest"}, @@ -80,7 +67,7 @@ func TestExchangeToken(t *testing.T) { expires := metav1.NewTime(time.Now().Truncate(time.Second)) // Start a test server that returns successfully and asserts various properties of the request. - caBundle, endpoint := startTestServer(t, func(w http.ResponseWriter, r *http.Request) { + caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { require.Equal(t, http.MethodPost, r.Method) require.Equal(t, "/apis/pinniped.dev/v1alpha1/credentialrequests", r.URL.Path) require.Equal(t, "application/json", r.Header.Get("content-type")) diff --git a/internal/controller/identityprovider/idpcache/cache.go b/internal/controller/identityprovider/idpcache/cache.go new file mode 100644 index 00000000..0fddc211 --- /dev/null +++ b/internal/controller/identityprovider/idpcache/cache.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package idpcache implements a cache of active identity providers. +package idpcache + +import ( + "context" + "fmt" + "sync" + + "k8s.io/apiserver/pkg/authentication/authenticator" + + "github.com/suzerain-io/pinniped/internal/controllerlib" +) + +var ( + // ErrNoIDPs is returned by Cache.AuthenticateToken() when there are no IDPs configured. + ErrNoIDPs = fmt.Errorf("no identity providers are loaded") + + // ErrIndeterminateIDP is returned by Cache.AuthenticateToken() when the correct IDP cannot be determined. + ErrIndeterminateIDP = fmt.Errorf("could not uniquely match against an identity provider") +) + +// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers +// loaded from IDP resources. +type Cache struct { + cache sync.Map +} + +// New returns an empty cache. +func New() *Cache { + return &Cache{} +} + +// Store an identity provider into the cache. +func (c *Cache) Store(key controllerlib.Key, value authenticator.Token) { + c.cache.Store(key, value) +} + +// Delete an identity provider from the cache. +func (c *Cache) Delete(key controllerlib.Key) { + c.cache.Delete(key) +} + +// Keys currently stored in the cache. +func (c *Cache) Keys() []controllerlib.Key { + var result []controllerlib.Key + c.cache.Range(func(key, _ interface{}) bool { + result = append(result, key.(controllerlib.Key)) + return true + }) + return result +} + +// AuthenticateToken validates the provided token against the currently loaded identity providers. +func (c *Cache) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) { + var matchingIDPs []authenticator.Token + c.cache.Range(func(key, value interface{}) bool { + matchingIDPs = append(matchingIDPs, value.(authenticator.Token)) + return true + }) + + // Return an error if there are no known IDPs. + if len(matchingIDPs) == 0 { + return nil, false, ErrNoIDPs + } + + // For now, allow there to be only exactly one IDP (until we specify a good mechanism for selecting one). + if len(matchingIDPs) != 1 { + return nil, false, ErrIndeterminateIDP + } + + return matchingIDPs[0].AuthenticateToken(ctx, token) +} diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go new file mode 100644 index 00000000..48b971b3 --- /dev/null +++ b/internal/controller/identityprovider/idpcache/cache_test.go @@ -0,0 +1,101 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package idpcache + +import ( + "context" + "testing" + + "github.com/golang/mock/gomock" + "github.com/stretchr/testify/require" + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/user" + + "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/mocks/mocktokenauthenticator" +) + +func TestCache(t *testing.T) { + t.Parallel() + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + tests := []struct { + name string + mockAuthenticators map[controllerlib.Key]func(*mocktokenauthenticator.MockToken) + wantResponse *authenticator.Response + wantAuthenticated bool + wantErr string + }{ + { + name: "no IDPs", + wantErr: "no identity providers are loaded", + }, + { + name: "multiple IDPs", + mockAuthenticators: map[controllerlib.Key]func(mockToken *mocktokenauthenticator.MockToken){ + controllerlib.Key{Namespace: "foo", Name: "idp-one"}: nil, + controllerlib.Key{Namespace: "foo", Name: "idp-two"}: nil, + }, + wantErr: "could not uniquely match against an identity provider", + }, + { + name: "success", + mockAuthenticators: map[controllerlib.Key]func(mockToken *mocktokenauthenticator.MockToken){ + controllerlib.Key{ + Namespace: "foo", + Name: "idp-one", + }: func(mockToken *mocktokenauthenticator.MockToken) { + mockToken.EXPECT().AuthenticateToken(ctx, "test-token").Return( + &authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}}, + true, + nil, + ) + }, + }, + wantResponse: &authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}}, + wantAuthenticated: true, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + cache := New() + require.NotNil(t, cache) + require.Implements(t, (*authenticator.Token)(nil), cache) + + for key, mockFunc := range tt.mockAuthenticators { + mockToken := mocktokenauthenticator.NewMockToken(ctrl) + if mockFunc != nil { + mockFunc(mockToken) + } + cache.Store(key, mockToken) + } + + require.Equal(t, len(tt.mockAuthenticators), len(cache.Keys())) + + resp, authenticated, err := cache.AuthenticateToken(ctx, "test-token") + require.Equal(t, tt.wantResponse, resp) + require.Equal(t, tt.wantAuthenticated, authenticated) + if tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + return + } + require.NoError(t, err) + + for _, key := range cache.Keys() { + cache.Delete(key) + } + require.Zero(t, len(cache.Keys())) + }) + } +} diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go new file mode 100644 index 00000000..dd14de88 --- /dev/null +++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go @@ -0,0 +1,70 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package webhookcachecleaner implements a controller for garbage collectting webhook IDPs from an IDP cache. +package webhookcachecleaner + +import ( + "fmt" + + "github.com/go-logr/logr" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/klog/v2" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + idpinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp/v1alpha1" + pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" +) + +// New instantiates a new controllerlib.Controller which will garbage collect webhooks from the provided Cache. +func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller { + return controllerlib.New( + controllerlib.Config{ + Name: "webhookcachecleaner-controller", + Syncer: &controller{ + cache: cache, + webhookIDPs: webhookIDPs, + log: log.WithName("webhookcachecleaner-controller"), + }, + }, + controllerlib.WithInformer( + webhookIDPs, + pinnipedcontroller.NoOpFilter(), + controllerlib.InformerOption{}, + ), + ) +} + +type controller struct { + cache *idpcache.Cache + webhookIDPs idpinformers.WebhookIdentityProviderInformer + log logr.Logger +} + +// Sync implements controllerlib.Syncer. +func (c *controller) Sync(ctx controllerlib.Context) error { + webhooks, err := c.webhookIDPs.Lister().List(labels.Everything()) + if err != nil { + return fmt.Errorf("failed to list WebhookIdentityProviders: %w", err) + } + + // Index the current webhooks by key. + webhooksByKey := map[controllerlib.Key]*idpv1alpha1.WebhookIdentityProvider{} + for _, webhook := range webhooks { + key := controllerlib.Key{Namespace: webhook.Namespace, Name: webhook.Name} + webhooksByKey[key] = webhook + } + + // Delete any entries from the cache which are no longer in the cluster. + for _, key := range c.cache.Keys() { + if _, exists := webhooksByKey[key]; !exists { + c.log.WithValues("idp", klog.KRef(key.Namespace, key.Name)).Info("deleting webhook IDP from cache") + c.cache.Delete(key) + } + } + return nil +} diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go new file mode 100644 index 00000000..56a29bc6 --- /dev/null +++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go @@ -0,0 +1,128 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package webhookcachecleaner + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/authentication/authenticator" + + idpv1alpha "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" + pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/testutil/testlogger" +) + +func TestController(t *testing.T) { + t.Parallel() + + testKey1 := controllerlib.Key{Namespace: "test-namespace", Name: "test-name-one"} + testKey2 := controllerlib.Key{Namespace: "test-namespace", Name: "test-name-two"} + + tests := []struct { + name string + syncKey controllerlib.Key + webhookIDPs []runtime.Object + initialCache map[controllerlib.Key]authenticator.Token + wantErr string + wantLogs []string + wantCacheKeys []controllerlib.Key + }{ + { + name: "no change", + syncKey: testKey1, + initialCache: map[controllerlib.Key]authenticator.Token{testKey1: nil}, + webhookIDPs: []runtime.Object{ + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey1.Namespace, + Name: testKey1.Name, + }, + }, + }, + wantCacheKeys: []controllerlib.Key{testKey1}, + }, + { + name: "IDPs not yet added", + syncKey: testKey1, + initialCache: nil, + webhookIDPs: []runtime.Object{ + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey1.Namespace, + Name: testKey1.Name, + }, + }, + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey2.Namespace, + Name: testKey2.Name, + }, + }, + }, + wantCacheKeys: []controllerlib.Key{}, + }, + { + name: "successful cleanup", + syncKey: testKey1, + initialCache: map[controllerlib.Key]authenticator.Token{ + testKey1: nil, + testKey2: nil, + }, + webhookIDPs: []runtime.Object{ + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey1.Namespace, + Name: testKey1.Name, + }, + }, + }, + wantLogs: []string{ + `webhookcachecleaner-controller "level"=0 "msg"="deleting webhook IDP from cache" "idp"={"name":"test-name-two","namespace":"test-namespace"}`, + }, + wantCacheKeys: []controllerlib.Key{testKey1}, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + fakeClient := pinnipedfake.NewSimpleClientset(tt.webhookIDPs...) + informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0) + cache := idpcache.New() + for k, v := range tt.initialCache { + cache.Store(k, v) + } + testLog := testlogger.New(t) + + controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog) + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel() + + informers.Start(ctx.Done()) + controllerlib.TestRunSynchronously(t, controller) + + syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey} + + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + require.Equal(t, tt.wantLogs, testLog.Lines()) + require.ElementsMatch(t, tt.wantCacheKeys, cache.Keys()) + }) + } +} diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go new file mode 100644 index 00000000..867ba6dc --- /dev/null +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go @@ -0,0 +1,127 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookIdentityProvider. +package webhookcachefiller + +import ( + "encoding/base64" + "fmt" + "io/ioutil" + "os" + + "github.com/go-logr/logr" + k8sauthv1beta1 "k8s.io/api/authentication/v1beta1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/util/net" + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + "k8s.io/klog/v2" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + idpinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp/v1alpha1" + pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" +) + +// New instantiates a new controllerlib.Controller which will populate the provided idpcache.Cache. +func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller { + return controllerlib.New( + controllerlib.Config{ + Name: "webhookcachefiller-controller", + Syncer: &controller{ + cache: cache, + webhookIDPs: webhookIDPs, + log: log.WithName("webhookcachefiller-controller"), + }, + }, + controllerlib.WithInformer( + webhookIDPs, + pinnipedcontroller.NoOpFilter(), + controllerlib.InformerOption{}, + ), + ) +} + +type controller struct { + cache *idpcache.Cache + webhookIDPs idpinformers.WebhookIdentityProviderInformer + log logr.Logger +} + +// Sync implements controllerlib.Syncer. +func (c *controller) Sync(ctx controllerlib.Context) error { + obj, err := c.webhookIDPs.Lister().WebhookIdentityProviders(ctx.Key.Namespace).Get(ctx.Key.Name) + if err != nil && errors.IsNotFound(err) { + c.log.Info("Sync() found that the WebhookIdentityProvider does not exist yet or was deleted") + return nil + } + if err != nil { + return fmt.Errorf("failed to get WebhookIdentityProvider %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err) + } + + webhookAuthenticator, err := newWebhookAuthenticator(&obj.Spec, ioutil.TempFile, clientcmd.WriteToFile) + if err != nil { + return fmt.Errorf("failed to build webhook config: %w", err) + } + + c.cache.Store(ctx.Key, webhookAuthenticator) + c.log.WithValues("idp", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook IDP") + return nil +} + +// newWebhookAuthenticator creates a webhook from the provided API server url and caBundle +// used to validate TLS connections. +func newWebhookAuthenticator( + spec *idpv1alpha1.WebhookIdentityProviderSpec, + tempfileFunc func(string, string) (*os.File, error), + marshalFunc func(clientcmdapi.Config, string) error, +) (*webhook.WebhookTokenAuthenticator, error) { + temp, err := tempfileFunc("", "pinniped-webhook-kubeconfig-*") + if err != nil { + return nil, fmt.Errorf("unable to create temporary file: %w", err) + } + defer func() { _ = os.Remove(temp.Name()) }() + + cluster := &clientcmdapi.Cluster{Server: spec.Endpoint} + cluster.CertificateAuthorityData, err = getCABundle(spec.TLS) + if err != nil { + return nil, fmt.Errorf("invalid TLS configuration: %w", err) + } + + kubeconfig := clientcmdapi.NewConfig() + kubeconfig.Clusters["anonymous-cluster"] = cluster + kubeconfig.Contexts["anonymous"] = &clientcmdapi.Context{Cluster: "anonymous-cluster"} + kubeconfig.CurrentContext = "anonymous" + + if err := marshalFunc(*kubeconfig, temp.Name()); err != nil { + return nil, fmt.Errorf("unable to marshal kubeconfig: %w", err) + } + + // We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired + // integration points. + version := k8sauthv1beta1.SchemeGroupVersion.Version + + // At the current time, we don't provide any audiences because we simply don't + // have any requirements to do so. This can be changed in the future as + // requirements change. + var implicitAuds authenticator.Audiences + + // We set this to nil because we would only need this to support some of the + // custom proxy stuff used by the API server. + var customDial net.DialFunc + + return webhook.New(temp.Name(), version, implicitAuds, customDial) +} + +func getCABundle(spec *idpv1alpha1.TLSSpec) ([]byte, error) { + if spec == nil { + return nil, nil + } + return base64.StdEncoding.DecodeString(spec.CertificateAuthorityData) +} diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go new file mode 100644 index 00000000..82e4fa35 --- /dev/null +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go @@ -0,0 +1,174 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package webhookcachefiller + +import ( + "context" + "encoding/base64" + "fmt" + "io/ioutil" + "net/http" + "os" + "testing" + "time" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" + pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/testutil" + "github.com/suzerain-io/pinniped/internal/testutil/testlogger" +) + +func TestController(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + syncKey controllerlib.Key + webhookIDPs []runtime.Object + wantErr string + wantLogs []string + wantCacheEntries int + }{ + { + name: "not found", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + wantLogs: []string{ + `webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookIdentityProvider does not exist yet or was deleted"`, + }, + }, + { + name: "invalid webhook", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + webhookIDPs: []runtime.Object{ + &idpv1alpha1.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-namespace", + Name: "test-name", + }, + Spec: idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "invalid url", + }, + }, + }, + wantErr: `failed to build webhook config: parse "http://invalid url": invalid character " " in host name`, + }, + { + name: "valid webhook", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + webhookIDPs: []runtime.Object{ + &idpv1alpha1.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-namespace", + Name: "test-name", + }, + Spec: idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: ""}, + }, + }, + }, + wantLogs: []string{ + `webhookcachefiller-controller "level"=0 "msg"="added new webhook IDP" "endpoint"="https://example.com" "idp"={"name":"test-name","namespace":"test-namespace"}`, + }, + wantCacheEntries: 1, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + fakeClient := pinnipedfake.NewSimpleClientset(tt.webhookIDPs...) + informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0) + cache := idpcache.New() + testLog := testlogger.New(t) + + controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog) + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel() + + informers.Start(ctx.Done()) + controllerlib.TestRunSynchronously(t, controller) + + syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey} + + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + require.Equal(t, tt.wantLogs, testLog.Lines()) + require.Equal(t, tt.wantCacheEntries, len(cache.Keys())) + }) + } +} + +func TestNewWebhookAuthenticator(t *testing.T) { + t.Run("temp file failure", func(t *testing.T) { + brokenTempFile := func(_ string, _ string) (*os.File, error) { return nil, fmt.Errorf("some temp file error") } + res, err := newWebhookAuthenticator(nil, brokenTempFile, clientcmd.WriteToFile) + require.Nil(t, res) + require.EqualError(t, err, "unable to create temporary file: some temp file error") + }) + + t.Run("marshal failure", func(t *testing.T) { + marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") } + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError) + require.Nil(t, res) + require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error") + }) + + t.Run("invalid base64", func(t *testing.T) { + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"}, + }, ioutil.TempFile, clientcmd.WriteToFile) + require.Nil(t, res) + require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7") + }) + + t.Run("valid config with no TLS spec", func(t *testing.T) { + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + }, ioutil.TempFile, clientcmd.WriteToFile) + require.NotNil(t, res) + require.NoError(t, err) + }) + + t.Run("success", func(t *testing.T) { + caBundle, url := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { + body, err := ioutil.ReadAll(r.Body) + require.NoError(t, err) + require.Contains(t, string(body), "test-token") + _, err = w.Write([]byte(`{}`)) + require.NoError(t, err) + }) + spec := &idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: url, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)), + }, + } + res, err := newWebhookAuthenticator(spec, ioutil.TempFile, clientcmd.WriteToFile) + require.NoError(t, err) + require.NotNil(t, res) + + resp, authenticated, err := res.AuthenticateToken(context.Background(), "test-token") + require.NoError(t, err) + require.Nil(t, resp) + require.False(t, authenticated) + }) +} diff --git a/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go b/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go index 07138789..99410e9b 100644 --- a/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go +++ b/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go @@ -28,7 +28,7 @@ func CreateOrUpdateCredentialIssuerConfig( existingCredentialIssuerConfig, err := pinnipedClient. CrdV1alpha1(). CredentialIssuerConfigs(credentialIssuerConfigNamespace). - Get(ctx, configName, metav1.GetOptions{}) + Get(ctx, ConfigName, metav1.GetOptions{}) notFound := k8serrors.IsNotFound(err) if err != nil && !notFound { @@ -39,7 +39,7 @@ func CreateOrUpdateCredentialIssuerConfig( ctx, existingCredentialIssuerConfig, notFound, - configName, + ConfigName, credentialIssuerConfigNamespace, pinnipedClient, applyUpdatesToCredentialIssuerConfigFunc) diff --git a/internal/controller/issuerconfig/publisher.go b/internal/controller/issuerconfig/publisher.go index 46774514..82bf5293 100644 --- a/internal/controller/issuerconfig/publisher.go +++ b/internal/controller/issuerconfig/publisher.go @@ -24,10 +24,10 @@ import ( const ( ClusterInfoNamespace = "kube-public" + ConfigName = "pinniped-config" + clusterInfoName = "cluster-info" clusterInfoConfigMapKey = "kubeconfig" - - configName = "pinniped-config" ) type publisherController struct { @@ -64,7 +64,7 @@ func NewPublisherController( ), withInformer( credentialIssuerConfigInformer, - pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(configName, namespace), + pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(ConfigName, namespace), controllerlib.InformerOption{}, ), ) @@ -114,7 +114,7 @@ func (c *publisherController) Sync(ctx controllerlib.Context) error { existingCredentialIssuerConfigFromInformerCache, err := c.credentialIssuerConfigInformer. Lister(). CredentialIssuerConfigs(c.namespace). - Get(configName) + Get(ConfigName) notFound = k8serrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("could not get credentialissuerconfig: %w", err) @@ -131,7 +131,7 @@ func (c *publisherController) Sync(ctx controllerlib.Context) error { ctx.Context, existingCredentialIssuerConfigFromInformerCache, notFound, - configName, + ConfigName, c.namespace, c.pinnipedClient, updateServerAndCAFunc) diff --git a/internal/controller/issuerconfig/publisher_test.go b/internal/controller/issuerconfig/publisher_test.go index f45d8390..2e7b6987 100644 --- a/internal/controller/issuerconfig/publisher_test.go +++ b/internal/controller/issuerconfig/publisher_test.go @@ -8,7 +8,6 @@ package issuerconfig import ( "context" "errors" - "strings" "testing" "time" @@ -27,6 +26,7 @@ import ( pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/internal/testutil" ) @@ -256,14 +256,15 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: "cluster-info", Namespace: "kube-public"}, // Note that go fmt puts tabs in our file, which we must remove from our configmap yaml below. Data: map[string]string{ - "kubeconfig": strings.ReplaceAll(` - kind: Config - apiVersion: v1 - clusters: - - name: "" - cluster: - certificate-authority-data: "`+caData+`" - server: "`+kubeServerURL+`"`, "\t", " "), + "kubeconfig": here.Docf(` + kind: Config + apiVersion: v1 + clusters: + - name: "" + cluster: + certificate-authority-data: "%s" + server: "%s"`, + caData, kubeServerURL), "uninteresting-key": "uninteresting-value", }, } diff --git a/internal/controller/utils.go b/internal/controller/utils.go index 8f0866cb..e84591cc 100644 --- a/internal/controller/utils.go +++ b/internal/controller/utils.go @@ -11,16 +11,23 @@ import ( "github.com/suzerain-io/pinniped/internal/controllerlib" ) -func NameAndNamespaceExactMatchFilterFactory(name, namespace string) controllerlib.FilterFuncs { - objMatchesFunc := func(obj metav1.Object) bool { +func NameAndNamespaceExactMatchFilterFactory(name, namespace string) controllerlib.Filter { + return SimpleFilter(func(obj metav1.Object) bool { return obj.GetName() == name && obj.GetNamespace() == namespace - } + }) +} + +// NoOpFilter returns a controllerlib.Filter that allows all objects. +func NoOpFilter() controllerlib.Filter { + return SimpleFilter(func(object metav1.Object) bool { return true }) +} + +// SimpleFilter takes a single boolean match function on a metav1.Object and wraps it into a proper controllerlib.Filter. +func SimpleFilter(match func(metav1.Object) bool) controllerlib.Filter { return controllerlib.FilterFuncs{ - AddFunc: objMatchesFunc, - UpdateFunc: func(oldObj, newObj metav1.Object) bool { - return objMatchesFunc(oldObj) || objMatchesFunc(newObj) - }, - DeleteFunc: objMatchesFunc, + AddFunc: match, + UpdateFunc: func(oldObj, newObj metav1.Object) bool { return match(oldObj) || match(newObj) }, + DeleteFunc: match, } } diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go index dcb565fa..282d17ba 100644 --- a/internal/controllermanager/prepare_controllers.go +++ b/internal/controllermanager/prepare_controllers.go @@ -14,11 +14,15 @@ import ( k8sinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" + "k8s.io/klog/v2/klogr" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" "github.com/suzerain-io/pinniped/internal/controller/apicerts" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachecleaner" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachefiller" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controllerlib" "github.com/suzerain-io/pinniped/internal/provider" @@ -36,6 +40,7 @@ func PrepareControllers( dynamicCertProvider provider.DynamicTLSServingCertProvider, servingCertDuration time.Duration, servingCertRenewBefore time.Duration, + idpCache *idpcache.Cache, ) (func(ctx context.Context), error) { // Create k8s clients. k8sClient, aggregatorClient, pinnipedClient, err := createClients() @@ -104,6 +109,22 @@ func PrepareControllers( servingCertRenewBefore, ), singletonWorker, + ). + WithController( + webhookcachefiller.New( + idpCache, + installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(), + klogr.New(), + ), + singletonWorker, + ). + WithController( + webhookcachecleaner.New( + idpCache, + installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(), + klogr.New(), + ), + singletonWorker, ) // Return a function which starts the informers and controllers. @@ -112,6 +133,10 @@ func PrepareControllers( installationNamespaceK8sInformers.Start(ctx.Done()) installationNamespacePinnipedInformers.Start(ctx.Done()) + kubePublicNamespaceK8sInformers.WaitForCacheSync(ctx.Done()) + installationNamespaceK8sInformers.WaitForCacheSync(ctx.Done()) + installationNamespacePinnipedInformers.WaitForCacheSync(ctx.Done()) + go controllerManager.Start(ctx) }, nil } diff --git a/internal/here/doc.go b/internal/here/doc.go new file mode 100644 index 00000000..5c486c91 --- /dev/null +++ b/internal/here/doc.go @@ -0,0 +1,25 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package here + +import ( + "strings" + + "github.com/MakeNowJust/heredoc/v2" +) + +const ( + tab = "\t" + fourSpaces = " " +) + +func Doc(s string) string { + return strings.ReplaceAll(heredoc.Doc(s), tab, fourSpaces) +} + +func Docf(raw string, args ...interface{}) string { + return strings.ReplaceAll(heredoc.Docf(raw, args...), tab, fourSpaces) +} diff --git a/internal/here/doc_test.go b/internal/here/doc_test.go new file mode 100644 index 00000000..611049d8 --- /dev/null +++ b/internal/here/doc_test.go @@ -0,0 +1,104 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package here + +import ( + "testing" + + "github.com/sclevine/spec" + "github.com/sclevine/spec/report" + "github.com/stretchr/testify/require" +) + +func TestDoc(t *testing.T) { + spec.Run(t, "here.Doc", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + + it.Before(func() { + r = require.New(t) + }) + + it("returns single-line strings unchanged", func() { + r.Equal("the quick brown fox", Doc("the quick brown fox")) + r.Equal(" the quick brown fox", Doc(" the quick brown fox")) + }) + + it("returns multi-line strings with indentation removed", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog", + Doc(`the quick brown fox + jumped over the + lazy dog`), + ) + }) + + it("ignores the first empty line and the whitespace in the last line", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog\n", + Doc(` + the quick brown fox + jumped over the + lazy dog + `), + ) + }) + + it("turns all tabs into 4 spaces", func() { + r.Equal( + "the quick brown fox\n jumped over the\n lazy dog\n", + Doc(` + the quick brown fox + jumped over the + lazy dog + `), + ) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) + + spec.Run(t, "here.Docf", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + + it.Before(func() { + r = require.New(t) + }) + + it("returns single-line strings unchanged", func() { + r.Equal("the quick brown fox", Docf("the quick brown %s", "fox")) + r.Equal(" the quick brown fox", Docf(" the %s brown %s", "quick", "fox")) + }) + + it("returns multi-line strings with indentation removed", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog", + Docf(`the quick brown %s + jumped over the + lazy %s`, "fox", "dog"), + ) + }) + + it("ignores the first empty line and the whitespace in the last line", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog\n", + Docf(` + the quick brown %s + jumped over the + lazy %s + `, "fox", "dog"), + ) + }) + + it("turns all tabs into 4 spaces", func() { + r.Equal( + "the quick brown fox\n jumped over the\n lazy dog\n", + Docf(` + the quick brown %s + jumped over the + lazy %s + `, "fox", "dog"), + ) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} diff --git a/internal/mocks/mocktokenauthenticator/generate.go b/internal/mocks/mocktokenauthenticator/generate.go new file mode 100644 index 00000000..ab2bb834 --- /dev/null +++ b/internal/mocks/mocktokenauthenticator/generate.go @@ -0,0 +1,8 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package mocktokenauthenticator + +//go:generate go run -v github.com/golang/mock/mockgen -destination=mocktokenauthenticator.go -package=mocktokenauthenticator -copyright_file=../../../hack/header.txt k8s.io/apiserver/pkg/authentication/authenticator Token diff --git a/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go b/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go new file mode 100644 index 00000000..f08d4abf --- /dev/null +++ b/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go @@ -0,0 +1,55 @@ +// Copyright 2020 VMware, Inc. +// SPDX-License-Identifier: Apache-2.0 +// + +// Code generated by MockGen. DO NOT EDIT. +// Source: k8s.io/apiserver/pkg/authentication/authenticator (interfaces: Token) + +// Package mocktokenauthenticator is a generated GoMock package. +package mocktokenauthenticator + +import ( + context "context" + gomock "github.com/golang/mock/gomock" + authenticator "k8s.io/apiserver/pkg/authentication/authenticator" + reflect "reflect" +) + +// MockToken is a mock of Token interface +type MockToken struct { + ctrl *gomock.Controller + recorder *MockTokenMockRecorder +} + +// MockTokenMockRecorder is the mock recorder for MockToken +type MockTokenMockRecorder struct { + mock *MockToken +} + +// NewMockToken creates a new mock instance +func NewMockToken(ctrl *gomock.Controller) *MockToken { + mock := &MockToken{ctrl: ctrl} + mock.recorder = &MockTokenMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use +func (m *MockToken) EXPECT() *MockTokenMockRecorder { + return m.recorder +} + +// AuthenticateToken mocks base method +func (m *MockToken) AuthenticateToken(arg0 context.Context, arg1 string) (*authenticator.Response, bool, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "AuthenticateToken", arg0, arg1) + ret0, _ := ret[0].(*authenticator.Response) + ret1, _ := ret[1].(bool) + ret2, _ := ret[2].(error) + return ret0, ret1, ret2 +} + +// AuthenticateToken indicates an expected call of AuthenticateToken +func (mr *MockTokenMockRecorder) AuthenticateToken(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateToken", reflect.TypeOf((*MockToken)(nil).AuthenticateToken), arg0, arg1) +} diff --git a/internal/registry/credentialrequest/rest.go b/internal/registry/credentialrequest/rest.go index 6c12a6bf..626f3948 100644 --- a/internal/registry/credentialrequest/rest.go +++ b/internal/registry/credentialrequest/rest.go @@ -37,16 +37,16 @@ type CertIssuer interface { IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error) } -func NewREST(webhook authenticator.Token, issuer CertIssuer) *REST { +func NewREST(tokenAuthenticator authenticator.Token, issuer CertIssuer) *REST { return &REST{ - webhook: webhook, - issuer: issuer, + tokenAuthenticator: tokenAuthenticator, + issuer: issuer, } } type REST struct { - webhook authenticator.Token - issuer CertIssuer + tokenAuthenticator authenticator.Token + issuer CertIssuer } func (r *REST) New() runtime.Object { @@ -78,7 +78,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation } }() - authResponse, authenticated, err := r.webhook.AuthenticateToken(cancelCtx, credentialRequest.Spec.Token.Value) + authResponse, authenticated, err := r.tokenAuthenticator.AuthenticateToken(cancelCtx, credentialRequest.Spec.Token.Value) if err != nil { traceFailureWithError(t, "webhook authentication", err) return failureResponse(), nil diff --git a/internal/server/server.go b/internal/server/server.go index 1dcdb808..9abe25df 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -14,9 +14,9 @@ import ( "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/authentication/authenticator" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" - "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/klog/v2" @@ -26,9 +26,11 @@ import ( pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" "github.com/suzerain-io/pinniped/internal/apiserver" "github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controllermanager" "github.com/suzerain-io/pinniped/internal/downward" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/internal/provider" "github.com/suzerain-io/pinniped/internal/registry/credentialrequest" "github.com/suzerain-io/pinniped/pkg/config" @@ -62,10 +64,11 @@ func (a *App) Run() error { // Create the server command and save it into the App. func (a *App) addServerCommand(ctx context.Context, args []string, stdout, stderr io.Writer) { cmd := &cobra.Command{ - Use: `pinniped-server`, - Long: "pinniped-server provides a generic API for mapping an external\n" + - "credential from somewhere to an internal credential to be used for\n" + - "authenticating to the Kubernetes API.", + Use: "pinniped-server", + Long: here.Doc(` + pinniped-server provides a generic API for mapping an external + credential from somewhere to an internal credential to be used for + authenticating to the Kubernetes API.`), RunE: func(cmd *cobra.Command, args []string) error { return a.runServer(ctx) }, Args: cobra.NoArgs, } @@ -118,11 +121,8 @@ func (a *App) runServer(ctx context.Context) error { } defer shutdownCA() - // Create a WebhookTokenAuthenticator. - webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig) - if err != nil { - return fmt.Errorf("could not create webhook client: %w", err) - } + // Initialize the cache of active identity providers. + idpCache := idpcache.New() // This cert provider will provide certs to the API server and will // be mutated by a controller to keep the certs up to date with what @@ -139,6 +139,7 @@ func (a *App) runServer(ctx context.Context) error { dynamicCertProvider, time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second, time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second, + idpCache, ) if err != nil { return fmt.Errorf("could not prepare controllers: %w", err) @@ -147,7 +148,7 @@ func (a *App) runServer(ctx context.Context) error { // Get the aggregated API server config. aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig( dynamicCertProvider, - webhookTokenAuthenticator, + idpCache, k8sClusterCA, startControllersFunc, ) @@ -241,7 +242,7 @@ func getClusterCASigner(ctx context.Context, serverInstallationNamespace string) // Create a configuration for the aggregated API server. func getAggregatedAPIServerConfig( dynamicCertProvider provider.DynamicTLSServingCertProvider, - webhookTokenAuthenticator *webhook.WebhookTokenAuthenticator, + tokenAuthenticator authenticator.Token, ca credentialrequest.CertIssuer, startControllersPostStartHook func(context.Context), ) (*apiserver.Config, error) { @@ -270,7 +271,7 @@ func getAggregatedAPIServerConfig( apiServerConfig := &apiserver.Config{ GenericConfig: serverConfig, ExtraConfig: apiserver.ExtraConfig{ - Webhook: webhookTokenAuthenticator, + TokenAuthenticator: tokenAuthenticator, Issuer: ca, StartControllersPostStartHook: startControllersPostStartHook, }, diff --git a/internal/testutil/testlogger/testlogger.go b/internal/testutil/testlogger/testlogger.go new file mode 100644 index 00000000..04ce5660 --- /dev/null +++ b/internal/testutil/testlogger/testlogger.go @@ -0,0 +1,61 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package testlogger implements a logr.Logger suitable for writing test assertions. +package testlogger + +import ( + "bytes" + "log" + "strings" + "sync" + "testing" + + "github.com/go-logr/logr" + "github.com/go-logr/stdr" +) + +// Logger implements logr.Logger in a way that captures logs for test assertions. +type Logger struct { + logr.Logger + t *testing.T + buffer syncBuffer +} + +// New returns a new test Logger. +func New(t *testing.T) *Logger { + res := Logger{t: t} + res.Logger = stdr.New(log.New(&res.buffer, "", 0)) + return &res +} + +// Lines returns the lines written to the test logger. +func (l *Logger) Lines() []string { + l.t.Helper() + l.buffer.mutex.Lock() + defer l.buffer.mutex.Unlock() + + // Trim leading/trailing whitespace and omit empty lines. + var result []string + for _, line := range strings.Split(l.buffer.buffer.String(), "\n") { + line = strings.TrimSpace(line) + if line != "" { + result = append(result, line) + } + } + return result +} + +// syncBuffer synchronizes access to a bytes.Buffer. +type syncBuffer struct { + mutex sync.Mutex + buffer bytes.Buffer +} + +func (s *syncBuffer) Write(p []byte) (n int, err error) { + s.mutex.Lock() + defer s.mutex.Unlock() + return s.buffer.Write(p) +} diff --git a/internal/testutil/tlsserver.go b/internal/testutil/tlsserver.go new file mode 100644 index 00000000..0da0be94 --- /dev/null +++ b/internal/testutil/tlsserver.go @@ -0,0 +1,27 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package testutil + +import ( + "encoding/pem" + "net/http" + "net/http/httptest" + "testing" +) + +// TLSTestServer starts a test server listening on a local port using a test CA. It returns the PEM CA bundle and the +// URL of the listening server. The lifetime of the server is bound to the provided *testing.T. +func TLSTestServer(t *testing.T, handler http.HandlerFunc) (caBundlePEM string, url string) { + t.Helper() + server := httptest.NewTLSServer(handler) + t.Cleanup(server.Close) + + caBundle := string(pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", + Bytes: server.TLS.Certificates[0].Certificate[0], + })) + return caBundle, server.URL +} diff --git a/pkg/config/api/types.go b/pkg/config/api/types.go index 81a8b1e1..1f5a80e3 100644 --- a/pkg/config/api/types.go +++ b/pkg/config/api/types.go @@ -7,23 +7,10 @@ package api // Config contains knobs to setup an instance of pinniped. type Config struct { - WebhookConfig WebhookConfigSpec `json:"webhook"` DiscoveryInfo DiscoveryInfoSpec `json:"discovery"` APIConfig APIConfigSpec `json:"api"` } -// WebhookConfig contains configuration knobs specific to pinniped's use -// of a webhook for token validation. -type WebhookConfigSpec struct { - // URL contains the URL of the webhook that pinniped will use - // to validate external credentials. - URL string `json:"url"` - - // CABundle contains PEM-encoded certificate authority certificates used - // to validate TLS connections to the WebhookURL. - CABundle []byte `json:"caBundle"` -} - // DiscoveryInfoSpec contains configuration knobs specific to // pinniped's publishing of discovery information. These values can be // viewed as overrides, i.e., if these are set, then pinniped will diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index e22a1255..e188910d 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -27,10 +27,6 @@ func TestFromPath(t *testing.T) { DiscoveryInfo: api.DiscoveryInfoSpec{ URL: stringPtr("https://some.discovery/url"), }, - WebhookConfig: api.WebhookConfigSpec{ - URL: "https://tuna.com/fish?marlin", - CABundle: []byte("-----BEGIN CERTIFICATE-----..."), - }, APIConfig: api.APIConfigSpec{ ServingCertificateConfig: api.ServingCertificateConfigSpec{ DurationSeconds: int64Ptr(3600), @@ -46,10 +42,6 @@ func TestFromPath(t *testing.T) { DiscoveryInfo: api.DiscoveryInfoSpec{ URL: nil, }, - WebhookConfig: api.WebhookConfigSpec{ - URL: "https://tuna.com/fish?marlin", - CABundle: []byte("-----BEGIN CERTIFICATE-----..."), - }, APIConfig: api.APIConfigSpec{ ServingCertificateConfig: api.ServingCertificateConfigSpec{ DurationSeconds: int64Ptr(60 * 60 * 24 * 365), // about a year diff --git a/pkg/config/testdata/default.yaml b/pkg/config/testdata/default.yaml index 234d9de8..ed97d539 100644 --- a/pkg/config/testdata/default.yaml +++ b/pkg/config/testdata/default.yaml @@ -1,4 +1 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u diff --git a/pkg/config/testdata/happy.yaml b/pkg/config/testdata/happy.yaml index f769cb83..3ed3c18a 100644 --- a/pkg/config/testdata/happy.yaml +++ b/pkg/config/testdata/happy.yaml @@ -1,9 +1,6 @@ --- discovery: url: https://some.discovery/url -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 3600 diff --git a/pkg/config/testdata/invalid-duration-renew-before.yaml b/pkg/config/testdata/invalid-duration-renew-before.yaml index 83d1eaa6..0c2ac255 100644 --- a/pkg/config/testdata/invalid-duration-renew-before.yaml +++ b/pkg/config/testdata/invalid-duration-renew-before.yaml @@ -1,7 +1,4 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 2400 diff --git a/pkg/config/testdata/negative-renew-before.yaml b/pkg/config/testdata/negative-renew-before.yaml index 97481414..bcc483d6 100644 --- a/pkg/config/testdata/negative-renew-before.yaml +++ b/pkg/config/testdata/negative-renew-before.yaml @@ -1,7 +1,4 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 2400 diff --git a/pkg/config/testdata/zero-renew-before.yaml b/pkg/config/testdata/zero-renew-before.yaml index 97481414..bcc483d6 100644 --- a/pkg/config/testdata/zero-renew-before.yaml +++ b/pkg/config/testdata/zero-renew-before.yaml @@ -1,7 +1,4 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 2400 diff --git a/pkg/config/webhook.go b/pkg/config/webhook.go deleted file mode 100644 index b359b25a..00000000 --- a/pkg/config/webhook.go +++ /dev/null @@ -1,77 +0,0 @@ -/* -Copyright 2020 VMware, Inc. -SPDX-License-Identifier: Apache-2.0 -*/ - -package config - -import ( - "fmt" - "io" - "io/ioutil" - "os" - - authenticationv1beta1 "k8s.io/api/authentication/v1beta1" - utilnet "k8s.io/apimachinery/pkg/util/net" - "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" - "k8s.io/client-go/tools/clientcmd" - clientcmdapi "k8s.io/client-go/tools/clientcmd/api" - - "github.com/suzerain-io/pinniped/pkg/config/api" -) - -// NewWebhook creates a webhook from the provided API server url and caBundle -// used to validate TLS connections. -func NewWebhook(spec api.WebhookConfigSpec) (*webhook.WebhookTokenAuthenticator, error) { - kubeconfig, err := ioutil.TempFile("", "pinniped-webhook-kubeconfig-*") - if err != nil { - return nil, fmt.Errorf("create temp file: %w", err) - } - defer os.Remove(kubeconfig.Name()) - - if err := anonymousKubeconfig(spec.URL, spec.CABundle, kubeconfig); err != nil { - return nil, fmt.Errorf("anonymous kubeconfig: %w", err) - } - - // We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired - // integration points. - version := authenticationv1beta1.SchemeGroupVersion.Version - - // At the current time, we don't provide any audiences because we simply don't - // have any requirements to do so. This can be changed in the future as - // requirements change. - var implicitAuds authenticator.Audiences - - // We set this to nil because we would only need this to support some of the - // custom proxy stuff used by the API server. - var customDial utilnet.DialFunc - - return webhook.New(kubeconfig.Name(), version, implicitAuds, customDial) -} - -// anonymousKubeconfig writes a kubeconfig file to the provided io.Writer that -// will "use" anonymous auth to talk to a Kube API server at the provided url -// with the provided caBundle. -func anonymousKubeconfig(url string, caBundle []byte, out io.Writer) error { - config := clientcmdapi.NewConfig() - config.Clusters["anonymous-cluster"] = &clientcmdapi.Cluster{ - Server: url, - CertificateAuthorityData: caBundle, - } - config.Contexts["anonymous"] = &clientcmdapi.Context{ - Cluster: "anonymous-cluster", - } - config.CurrentContext = "anonymous" - - data, err := clientcmd.Write(*config) - if err != nil { - return fmt.Errorf("marshal config: %w", err) - } - - if _, err := out.Write(data); err != nil { - return fmt.Errorf("write config: %w", err) - } - - return nil -} diff --git a/pkg/config/webhook_test.go b/pkg/config/webhook_test.go deleted file mode 100644 index 3ba33cda..00000000 --- a/pkg/config/webhook_test.go +++ /dev/null @@ -1,31 +0,0 @@ -/* -Copyright 2020 VMware, Inc. -SPDX-License-Identifier: Apache-2.0 -*/ - -package config - -import ( - "io/ioutil" - "os" - "testing" - - "github.com/stretchr/testify/require" - "k8s.io/client-go/tools/clientcmd" -) - -func TestAnonymousKubeconfig(t *testing.T) { - expect := require.New(t) - - f, err := ioutil.TempFile("", "pinniped-anonymous-kubeconfig-test-*") - expect.NoError(err) - defer os.Remove(f.Name()) - - err = anonymousKubeconfig("https://tuna.com", []byte("ca bundle"), f) - expect.NoError(err) - - config, err := clientcmd.BuildConfigFromFlags("", f.Name()) - expect.NoError(err) - - expect.Equal("https://tuna.com", config.Host) -} diff --git a/test/integration/api_discovery_test.go b/test/integration/api_discovery_test.go index 96fa3951..48d3bb93 100644 --- a/test/integration/api_discovery_test.go +++ b/test/integration/api_discovery_test.go @@ -22,65 +22,119 @@ func TestGetAPIResourceList(t *testing.T) { groups, resources, err := client.Discovery().ServerGroupsAndResources() require.NoError(t, err) - t.Run("has group", func(t *testing.T) { - require.Contains(t, groups, &metav1.APIGroup{ - Name: "pinniped.dev", - Versions: []metav1.GroupVersionForDiscovery{ - { + tests := []struct { + group metav1.APIGroup + resourceByVersion map[string][]metav1.APIResource + }{ + { + group: metav1.APIGroup{ + Name: "pinniped.dev", + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: "pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ GroupVersion: "pinniped.dev/v1alpha1", Version: "v1alpha1", }, }, - PreferredVersion: metav1.GroupVersionForDiscovery{ - GroupVersion: "pinniped.dev/v1alpha1", - Version: "v1alpha1", + resourceByVersion: map[string][]metav1.APIResource{ + "pinniped.dev/v1alpha1": { + { + Name: "credentialrequests", + Kind: "CredentialRequest", + Verbs: []string{"create"}, + Namespaced: false, + + // This is currently an empty string in the response; maybe it should not be + // empty? Seems like no harm in keeping it like this for now, but feel free + // to update in the future if there is a compelling reason to do so. + SingularName: "", + }, + }, }, - }) - }) - - t.Run("has non-CRD APIs", func(t *testing.T) { - expectResources(t, "pinniped.dev/v1alpha1", resources, []metav1.APIResource{ - { - Name: "credentialrequests", - Kind: "CredentialRequest", - Verbs: []string{"create"}, - Namespaced: false, - - // This is currently an empty string in the response; maybe it should not be - // empty? Seems like no harm in keeping it like this for now, but feel free - // to update in the future if there is a compelling reason to do so. - SingularName: "", + }, + { + group: metav1.APIGroup{ + Name: "crd.pinniped.dev", + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: "crd.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: "crd.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, }, - }) - }) - - t.Run("has CRD APIs", func(t *testing.T) { - expectResources(t, "crd.pinniped.dev/v1alpha1", resources, []metav1.APIResource{ - { - Name: "credentialissuerconfigs", - SingularName: "credentialissuerconfig", - Namespaced: true, - Kind: "CredentialIssuerConfig", - Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, - ShortNames: []string{"cic"}, + resourceByVersion: map[string][]metav1.APIResource{ + "crd.pinniped.dev/v1alpha1": { + { + Name: "credentialissuerconfigs", + SingularName: "credentialissuerconfig", + Namespaced: true, + Kind: "CredentialIssuerConfig", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + ShortNames: []string{"cic"}, + }, + }, }, - }) - }) -} - -func expectResources(t *testing.T, groupVersion string, resources []*metav1.APIResourceList, expected []metav1.APIResource) { - var actualResourceList *metav1.APIResourceList - for _, resource := range resources { - if resource.GroupVersion == groupVersion { - actualResourceList = resource.DeepCopy() - } + }, + { + group: metav1.APIGroup{ + Name: "idp.pinniped.dev", + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: "idp.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: "idp.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + resourceByVersion: map[string][]metav1.APIResource{ + "idp.pinniped.dev/v1alpha1": { + { + Name: "webhookidentityproviders", + SingularName: "webhookidentityprovider", + Namespaced: true, + Kind: "WebhookIdentityProvider", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + ShortNames: []string{"webhookidp", "webhookidps"}, + Categories: []string{"all", "idp", "idps"}, + }, + }, + }, + }, } - require.NotNilf(t, actualResourceList, "could not find groupVersion %s", groupVersion) - // Because its hard to predict the storage version hash (e.g. "t/+v41y+3e4="), we just don't - // worry about comparing that field. - for i := range actualResourceList.APIResources { - actualResourceList.APIResources[i].StorageVersionHash = "" + for _, tt := range tests { + tt := tt + t.Run(tt.group.Name, func(t *testing.T) { + require.Contains(t, groups, &tt.group) + + for groupVersion, expectedResources := range tt.resourceByVersion { + // Find the actual resource list and make a copy. + var actualResourceList *metav1.APIResourceList + for _, resource := range resources { + if resource.GroupVersion == groupVersion { + actualResourceList = resource.DeepCopy() + } + } + require.NotNilf(t, actualResourceList, "could not find groupVersion %s", groupVersion) + + // Because its hard to predict the storage version hash (e.g. "t/+v41y+3e4="), we just don't + // worry about comparing that field. + for i := range actualResourceList.APIResources { + actualResourceList.APIResources[i].StorageVersionHash = "" + } + require.EqualValues(t, expectedResources, actualResourceList.APIResources, "unexpected API resources") + } + }) } - require.EqualValues(t, expected, actualResourceList.APIResources, "unexpected API resources") } diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go new file mode 100644 index 00000000..968af4e9 --- /dev/null +++ b/test/integration/cli_test.go @@ -0,0 +1,91 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ +package integration + +import ( + "context" + "io/ioutil" + "os" + "os/exec" + "path/filepath" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/require" + + "github.com/suzerain-io/pinniped/test/library" +) + +func TestCLI(t *testing.T) { + library.SkipUnlessIntegration(t) + library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) + token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN") + namespaceName := library.GetEnv(t, "PINNIPED_NAMESPACE") + testUsername := library.GetEnv(t, "PINNIPED_TEST_USER_USERNAME") + expectedTestUserGroups := strings.Split( + strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",", + ) + + // Build pinniped CLI. + pinnipedExe, cleanupFunc := buildPinnipedCLI(t) + defer cleanupFunc() + + // Run pinniped CLI to get kubeconfig. + kubeConfig := runPinnipedCLI(t, pinnipedExe, token, namespaceName) + + // Create Kubernetes client with kubeconfig from pinniped CLI. + kubeClient := library.NewClientsetForKubeConfig(t, kubeConfig) + + // Validate that we can auth to the API via our user. + ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*3) + defer cancelFunc() + + adminClient := library.NewClientset(t) + + t.Run("access as user", accessAsUserTest(ctx, adminClient, testUsername, kubeClient)) + for _, group := range expectedTestUserGroups { + group := group + t.Run( + "access as group "+group, + accessAsGroupTest(ctx, adminClient, group, kubeClient), + ) + } +} + +func buildPinnipedCLI(t *testing.T) (string, func()) { + t.Helper() + + pinnipedExeDir, err := ioutil.TempDir("", "pinniped-cli-test-*") + require.NoError(t, err) + + pinnipedExe := filepath.Join(pinnipedExeDir, "pinniped") + output, err := exec.Command( + "go", + "build", + "-o", + pinnipedExe, + "github.com/suzerain-io/pinniped/cmd/pinniped", + ).CombinedOutput() + require.NoError(t, err, string(output)) + + return pinnipedExe, func() { + require.NoError(t, os.RemoveAll(pinnipedExeDir)) + } +} + +func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) string { + t.Helper() + + output, err := exec.Command( + pinnipedExe, + "get-kubeconfig", + "--token", token, + "--pinniped-namespace", namespaceName, + ).CombinedOutput() + require.NoError(t, err, string(output)) + + return string(output) +} diff --git a/test/integration/client_test.go b/test/integration/client_test.go index ad480d1a..138db6d7 100644 --- a/test/integration/client_test.go +++ b/test/integration/client_test.go @@ -14,6 +14,7 @@ import ( "github.com/stretchr/testify/require" "github.com/suzerain-io/pinniped/internal/client" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/test/library" ) @@ -28,27 +29,28 @@ Test certificate and private key that should get an authentication error. Genera [1]: https://github.com/cloudflare/cfssl */ var ( - testCert = strings.TrimSpace(` ------BEGIN CERTIFICATE----- -MIICBDCCAaugAwIBAgIUeidKWlZQuoKfBGydObI1hMwzt9cwCgYIKoZIzj0EAwIw -SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp -c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDA3MjgxOTI3MDBaFw0yMTA3 -MjgxOTI3MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN -U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAARk7XBC+OjYmrXOhm7RaJiHW4Q5VsE+iMV90Bzq7ansqAhb -04RI63Y7YPwu1aExutjLvnkWCrgf2ze8KB+8djUBo3MwcTAOBgNVHQ8BAf8EBAMC -BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw -HQYDVR0OBBYEFG0oZxV+LHUKfE4gQ67xfHJuGQ/4MBMGA1UdEQQMMAqCCHRlc3R1 -c2VyMAoGCCqGSM49BAMCA0cAMEQCIEwPZhPpYhYHndfTEsWOxnxzJkmhAcYIMCeJ -d9kyq/fPAiBNCJw1MCLT8LjNlyUZCfwI2zuI3e0w6vuau89oj2zvVA== ------END CERTIFICATE----- + testCert = here.Doc(` + -----BEGIN CERTIFICATE----- + MIICBDCCAaugAwIBAgIUeidKWlZQuoKfBGydObI1hMwzt9cwCgYIKoZIzj0EAwIw + SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp + c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDA3MjgxOTI3MDBaFw0yMTA3 + MjgxOTI3MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN + U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB + BggqhkjOPQMBBwNCAARk7XBC+OjYmrXOhm7RaJiHW4Q5VsE+iMV90Bzq7ansqAhb + 04RI63Y7YPwu1aExutjLvnkWCrgf2ze8KB+8djUBo3MwcTAOBgNVHQ8BAf8EBAMC + BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw + HQYDVR0OBBYEFG0oZxV+LHUKfE4gQ67xfHJuGQ/4MBMGA1UdEQQMMAqCCHRlc3R1 + c2VyMAoGCCqGSM49BAMCA0cAMEQCIEwPZhPpYhYHndfTEsWOxnxzJkmhAcYIMCeJ + d9kyq/fPAiBNCJw1MCLT8LjNlyUZCfwI2zuI3e0w6vuau89oj2zvVA== + -----END CERTIFICATE----- `) - testKey = maskKey(strings.TrimSpace(` ------BEGIN EC TESTING KEY----- -MHcCAQEEIAqkBGGKTH5GzLx8XZLAHEFW2E8jT+jpy0p6w6MMR7DkoAoGCCqGSM49 -AwEHoUQDQgAEZO1wQvjo2Jq1zoZu0WiYh1uEOVbBPojFfdAc6u2p7KgIW9OESOt2 -O2D8LtWhMbrYy755Fgq4H9s3vCgfvHY1AQ== ------END EC TESTING KEY----- + + testKey = maskKey(here.Doc(` + -----BEGIN EC TESTING KEY----- + MHcCAQEEIAqkBGGKTH5GzLx8XZLAHEFW2E8jT+jpy0p6w6MMR7DkoAoGCCqGSM49 + AwEHoUQDQgAEZO1wQvjo2Jq1zoZu0WiYh1uEOVbBPojFfdAc6u2p7KgIW9OESOt2 + O2D8LtWhMbrYy755Fgq4H9s3vCgfvHY1AQ== + -----END EC TESTING KEY----- `)) ) diff --git a/test/integration/common_test.go b/test/integration/common_test.go new file mode 100644 index 00000000..abd35975 --- /dev/null +++ b/test/integration/common_test.go @@ -0,0 +1,102 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ +package integration + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + v1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" +) + +// accessAsUserTest runs a generic test in which a clientUnderTest operating with username +// testUsername tries to auth to the kube API (i.e., list namespaces). +// +// Use this function if you want to simply validate that a user can auth to the kube API after +// performing a Pinniped credential exchange. +func accessAsUserTest( + ctx context.Context, + adminClient kubernetes.Interface, + testUsername string, + clientUnderTest kubernetes.Interface, +) func(t *testing.T) { + return func(t *testing.T) { + addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "integration-test-user-readonly-role-binding", + }, + Subjects: []rbacv1.Subject{{ + Kind: rbacv1.UserKind, + APIGroup: rbacv1.GroupName, + Name: testUsername, + }}, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + APIGroup: rbacv1.GroupName, + Name: "view", + }, + }) + + // Use the client which is authenticated as the test user to list namespaces + var listNamespaceResponse *v1.NamespaceList + var err error + var canListNamespaces = func() bool { + listNamespaceResponse, err = clientUnderTest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) + return err == nil + } + assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) + require.NoError(t, err) // prints out the error and stops the test in case of failure + require.NotEmpty(t, listNamespaceResponse.Items) + } +} + +// accessAsGroupTest runs a generic test in which a clientUnderTest with membership in group +// testGroup tries to auth to the kube API (i.e., list namespaces). +// +// Use this function if you want to simply validate that a user can auth to the kube API (via +// a group membership) after performing a Pinniped credential exchange. +func accessAsGroupTest( + ctx context.Context, + adminClient kubernetes.Interface, + testGroup string, + clientUnderTest kubernetes.Interface, +) func(t *testing.T) { + return func(t *testing.T) { + addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "integration-test-group-readonly-role-binding", + }, + Subjects: []rbacv1.Subject{{ + Kind: rbacv1.GroupKind, + APIGroup: rbacv1.GroupName, + Name: testGroup, + }}, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + APIGroup: rbacv1.GroupName, + Name: "view", + }, + }) + + // Use the client which is authenticated as the test user to list namespaces + var listNamespaceResponse *v1.NamespaceList + var err error + var canListNamespaces = func() bool { + listNamespaceResponse, err = clientUnderTest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) + return err == nil + } + assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) + require.NoError(t, err) // prints out the error and stops the test in case of failure + require.NotEmpty(t, listNamespaceResponse.Items) + } +} diff --git a/test/integration/credentialissuerconfig_test.go b/test/integration/credentialissuerconfig_test.go index 22478d91..cacfe1dd 100644 --- a/test/integration/credentialissuerconfig_test.go +++ b/test/integration/credentialissuerconfig_test.go @@ -36,6 +36,10 @@ func TestCredentialIssuerConfig(t *testing.T) { CredentialIssuerConfigs(namespaceName). List(ctx, metav1.ListOptions{}) require.NoError(t, err) + for _, config := range actualConfigList.Items { + t.Logf("found CredentialIssuerConfig: %+v", config) + } + require.Len(t, actualConfigList.Items, 1) actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo diff --git a/test/integration/credentialrequest_test.go b/test/integration/credentialrequest_test.go index 28557858..ba8bd773 100644 --- a/test/integration/credentialrequest_test.go +++ b/test/integration/credentialrequest_test.go @@ -14,9 +14,7 @@ import ( "testing" "time" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -61,65 +59,16 @@ func TestSuccessfulCredentialRequest(t *testing.T) { response.Status.Credential.ClientKeyData, ) - t.Run("access as user", func(t *testing.T) { - addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{}, - ObjectMeta: metav1.ObjectMeta{ - Name: "integration-test-user-readonly-role-binding", - }, - Subjects: []rbacv1.Subject{{ - Kind: rbacv1.UserKind, - APIGroup: rbacv1.GroupName, - Name: testUsername, - }}, - RoleRef: rbacv1.RoleRef{ - Kind: "ClusterRole", - APIGroup: rbacv1.GroupName, - Name: "view", - }, - }) - - // Use the client which is authenticated as the test user to list namespaces - var listNamespaceResponse *v1.NamespaceList - var canListNamespaces = func() bool { - listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) - return err == nil - } - assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) - require.NoError(t, err) // prints out the error and stops the test in case of failure - require.NotEmpty(t, listNamespaceResponse.Items) - }) - + t.Run( + "access as user", + accessAsUserTest(ctx, adminClient, testUsername, clientWithCertFromCredentialRequest), + ) for _, group := range expectedTestUserGroups { group := group - t.Run("access as group "+group, func(t *testing.T) { - addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{}, - ObjectMeta: metav1.ObjectMeta{ - Name: "integration-test-group-readonly-role-binding", - }, - Subjects: []rbacv1.Subject{{ - Kind: rbacv1.GroupKind, - APIGroup: rbacv1.GroupName, - Name: group, - }}, - RoleRef: rbacv1.RoleRef{ - Kind: "ClusterRole", - APIGroup: rbacv1.GroupName, - Name: "view", - }, - }) - - // Use the client which is authenticated as the test user to list namespaces - var listNamespaceResponse *v1.NamespaceList - var canListNamespaces = func() bool { - listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) - return err == nil - } - assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) - require.NoError(t, err) // prints out the error and stops the test in case of failure - require.NotEmpty(t, listNamespaceResponse.Items) - }) + t.Run( + "access as group "+group, + accessAsGroupTest(ctx, adminClient, group, clientWithCertFromCredentialRequest), + ) } } diff --git a/test/library/client.go b/test/library/client.go index a7e895db..1eb13328 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -36,6 +36,22 @@ func NewClientset(t *testing.T) kubernetes.Interface { return newClientsetWithConfig(t, NewClientConfig(t)) } +func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface { + t.Helper() + + kubeConfigFile, err := ioutil.TempFile("", "pinniped-cli-test-*") + require.NoError(t, err) + defer os.Remove(kubeConfigFile.Name()) + + _, err = kubeConfigFile.Write([]byte(kubeConfig)) + require.NoError(t, err) + + restConfig, err := clientcmd.BuildConfigFromFlags("", kubeConfigFile.Name()) + require.NoError(t, err) + + return newClientsetWithConfig(t, restConfig) +} + func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface { t.Helper()