Merge pull request #82 from mattmoyer/add-crd-generation

Generate CRD YAML using controller-tools, update doc strings.

.pre-commit-config.yaml

@@ -1,3 +1,4 @@
+exclude: '^generated/'
 repos:
 - repo: git://github.com/pre-commit/pre-commit-hooks
   rev: v3.2.0

apis/crdpinniped/doc.go.tmpl

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=crd.pinniped.dev
 
-// Package crdpinniped is the internal version of the API.
+// Package crdpinniped is the internal version of the Pinniped CRD-based API.
 package crdpinniped

apis/crdpinniped/v1alpha1/doc.go.tmpl

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=crd.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped CRD-based API.
 package v1alpha1

apis/crdpinniped/v1alpha1/types.go.tmpl

@@ -7,8 +7,13 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+// +kubebuilder:validation:Enum=KubeClusterSigningCertificate
 type StrategyType string
+
+// +kubebuilder:validation:Enum=Success;Error
 type StrategyStatus string
+
+// +kubebuilder:validation:Enum=FetchedKey;CouldNotFetchKey
 type StrategyReason string
 
 const (
@@ -21,39 +26,63 @@ const (
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
 )
 
+// Status of a credential issuer.
 type CredentialIssuerConfigStatus struct {
+	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
 
+	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
 	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 
+// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 type CredentialIssuerConfigKubeConfigInfo struct {
-	// The K8s API server URL. Required.
+	// The K8s API server URL.
-	Server string `json:"server,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
 
-	// The K8s API server CA bundle. Required.
+	// The K8s API server CA bundle.
-	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
+// Status of an integration strategy that was attempted by Pinniped.
 type CredentialIssuerConfigStrategy struct {
-	Type           StrategyType   `json:"type,omitempty"`
+	// Type of integration attempted.
-	Status         StrategyStatus `json:"status,omitempty"`
+	Type StrategyType `json:"type"`
-	Reason         StrategyReason `json:"reason,omitempty"`
+
-	Message        string         `json:"message,omitempty"`
+	// Status of the attempted integration strategy.
+	Status StrategyStatus `json:"status"`
+
+	// Reason for the current status.
+	Reason StrategyReason `json:"reason"`
+
+	// Human-readable description of the current status.
+	// +kubebuilder:validation:MinLength=1
+	Message string `json:"message"`
+
+	// When the status was last checked.
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+
+// Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=cic
 
 type CredentialIssuerConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// Status of the credential issuer.
 	Status CredentialIssuerConfigStatus `json:"status"`
 }
 
+
+// List of CredentialIssuerConfig objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type CredentialIssuerConfigList struct {

apis/pinniped/doc.go.tmpl

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=pinniped.dev
 
-// Package pinniped is the internal version of the API.
+// Package pinniped is the internal version of the Pinniped aggregated API.
 package pinniped

apis/pinniped/v1alpha1/doc.go.tmpl

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
 package v1alpha1

deploy/crd.yaml

@@ -1,85 +1,110 @@
-#! Copyright 2020 VMware, Inc.
-#! SPDX-License-Identifier: Apache-2.0
-
-#! Example of valid CredentialIssuerConfig object:
-#! ---
-#! apiVersion: crd.pinniped.dev/v1alpha1
-#! kind: CredentialIssuerConfig
-#! metadata:
-#!   name: credential-issuer-config
-#!   namespace: integration
-#! status:
-#!   kubeConfigInfo:
-#!     server: https://foo
-#!     certificateAuthorityData: bar
-#!   strategies:
-#!     - type: KubeClusterSigningCertificate
-#!       status: Error
-#!       reason: CouldNotFetchKey
-#!       message: "There was an error getting the signing cert"
-#!       lastUpdateTime: 2020-08-21T20:08:18Z
-
-#@ load("@ytt:data", "data")
 
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
   name: credentialissuerconfigs.crd.pinniped.dev
 spec:
   group: crd.pinniped.dev
-  versions:
-    #! Any changes to these schemas should also be reflected in the types.go file(s)
-    - name: v1alpha1
-      served: true
-      storage: true
-      schema:
-        openAPIV3Schema:
-          type: object
-          properties:
-            status:
-              type: object
-              properties:
-                strategies:
-                  type: array
-                  items:
-                    type: object
-                    required: [ type, status, reason, message, lastUpdateTime ]
-                    properties:
-                      type: #! this property is called "type"
-                        type: string
-                        minLength: 1
-                        pattern: '^KubeClusterSigningCertificate$'
-                      status:
-                        type: string
-                        minLength: 1
-                        pattern: '^Success$|^Error$'
-                      reason:
-                        type: string
-                        minLength: 1
-                        pattern: '^CouldNotFetchKey$|^FetchedKey$'
-                      message:
-                        type: string
-                        minLength: 1
-                      lastUpdateTime:
-                        type: string
-                        format: date-time
-                        minLength: 1
-                kubeConfigInfo:
-                  type: object
-                  required: [ server, certificateAuthorityData ]
-                  properties:
-                    server:
-                      type: string
-                      minLength: 1
-                      pattern: '^https://|^http://'
-                    certificateAuthorityData:
-                      type: string
-                      minLength: 1
-  scope: Namespaced
   names:
-    plural: credentialissuerconfigs
-    singular: credentialissuerconfig
     kind: CredentialIssuerConfig
+    listKind: CredentialIssuerConfigList
+    plural: credentialissuerconfigs
     shortNames:
     - cic
+    singular: credentialissuerconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Status of the credential issuer.
+            properties:
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using this credential issuer.
+                properties:
+                  certificateAuthorityData:
+                    description: The K8s API server CA bundle.
+                    minLength: 1
+                    type: string
+                  server:
+                    description: The K8s API server URL.
+                    minLength: 1
+                    pattern: ^https://|^http://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - server
+                type: object
+              strategies:
+                description: List of integration strategies that were attempted by
+                  Pinniped.
+                items:
+                  description: Status of an integration strategy that was attempted
+                    by Pinniped.
+                  properties:
+                    lastUpdateTime:
+                      description: When the status was last checked.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable description of the current status.
+                      minLength: 1
+                      type: string
+                    reason:
+                      description: Reason for the current status.
+                      enum:
+                      - FetchedKey
+                      - CouldNotFetchKey
+                      type: string
+                    status:
+                      description: Status of the attempted integration strategy.
+                      enum:
+                      - Success
+                      - Error
+                      type: string
+                    type:
+                      description: Type of integration attempted.
+                      enum:
+                      - KubeClusterSigningCertificate
+                      type: string
+                  required:
+                  - lastUpdateTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            required:
+            - strategies
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.17/README.adoc

@@ -12,7 +12,7 @@
 [id="{anchor_prefix}-crd-pinniped-dev-v1alpha1"]
 === crd.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped CRD-based API.
 
 
 
@@ -31,7 +31,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | 
+| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
 |===
 
 
@@ -48,8 +48,8 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`server`* __string__ | The K8s API server URL. Required.
+| *`server`* __string__ | The K8s API server URL.
-| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle. Required.
+| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle.
 |===
 
 
@@ -58,7 +58,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus"]
 ==== CredentialIssuerConfigStatus 
 
-
+Status of a credential issuer.
 
 .Appears In:
 ****
@@ -68,8 +68,8 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-crdpinniped-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | 
+| *`strategies`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-crdpinniped-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-crdpinniped-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | 
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-crdpinniped-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
 
 
@@ -86,11 +86,11 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`type`* __StrategyType__ | 
+| *`type`* __StrategyType__ | Type of integration attempted.
-| *`status`* __StrategyStatus__ | 
+| *`status`* __StrategyStatus__ | Status of the attempted integration strategy.
-| *`reason`* __StrategyReason__ | 
+| *`reason`* __StrategyReason__ | Reason for the current status.
-| *`message`* __string__ | 
+| *`message`* __string__ | Human-readable description of the current status.
-| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | 
+| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | When the status was last checked.
 |===
 
 
@@ -98,7 +98,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [id="{anchor_prefix}-pinniped-dev-v1alpha1"]
 === pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
 
 
 

generated/1.17/apis/crdpinniped/doc.go

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=crd.pinniped.dev
 
-// Package crdpinniped is the internal version of the API.
+// Package crdpinniped is the internal version of the Pinniped CRD-based API.
 package crdpinniped

generated/1.17/apis/crdpinniped/v1alpha1/doc.go

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=crd.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped CRD-based API.
 package v1alpha1

generated/1.17/apis/crdpinniped/v1alpha1/types.go

@@ -7,8 +7,13 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+// +kubebuilder:validation:Enum=KubeClusterSigningCertificate
 type StrategyType string
+
+// +kubebuilder:validation:Enum=Success;Error
 type StrategyStatus string
+
+// +kubebuilder:validation:Enum=FetchedKey;CouldNotFetchKey
 type StrategyReason string
 
 const (
@@ -21,39 +26,63 @@ const (
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
 )
 
+// Status of a credential issuer.
 type CredentialIssuerConfigStatus struct {
+	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
 
+	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
 	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 
+// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 type CredentialIssuerConfigKubeConfigInfo struct {
-	// The K8s API server URL. Required.
+	// The K8s API server URL.
-	Server string `json:"server,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
 
-	// The K8s API server CA bundle. Required.
+	// The K8s API server CA bundle.
-	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
+// Status of an integration strategy that was attempted by Pinniped.
 type CredentialIssuerConfigStrategy struct {
-	Type           StrategyType   `json:"type,omitempty"`
+	// Type of integration attempted.
-	Status         StrategyStatus `json:"status,omitempty"`
+	Type StrategyType `json:"type"`
-	Reason         StrategyReason `json:"reason,omitempty"`
+
-	Message        string         `json:"message,omitempty"`
+	// Status of the attempted integration strategy.
+	Status StrategyStatus `json:"status"`
+
+	// Reason for the current status.
+	Reason StrategyReason `json:"reason"`
+
+	// Human-readable description of the current status.
+	// +kubebuilder:validation:MinLength=1
+	Message string `json:"message"`
+
+	// When the status was last checked.
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+
+// Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=cic
 
 type CredentialIssuerConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// Status of the credential issuer.
 	Status CredentialIssuerConfigStatus `json:"status"`
 }
 
+
+// List of CredentialIssuerConfig objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type CredentialIssuerConfigList struct {

generated/1.17/apis/pinniped/doc.go

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=pinniped.dev
 
-// Package pinniped is the internal version of the API.
+// Package pinniped is the internal version of the Pinniped aggregated API.
 package pinniped

generated/1.17/apis/pinniped/v1alpha1/doc.go

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
 package v1alpha1

generated/1.17/client/openapi/zz_generated.openapi.go

@@ -111,6 +111,7 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfig(ref common.Refe
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Status of the credential issuer.",
 							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus"),
 						},
 					},
@@ -127,23 +128,25 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigKubeConfigInfo(r
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"server": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The K8s API server URL. Required.",
+							Description: "The K8s API server URL.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"certificateAuthorityData": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The K8s API server CA bundle. Required.",
+							Description: "The K8s API server CA bundle.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 				},
+				Required: []string{"server", "certificateAuthorityData"},
 			},
 		},
 	}
@@ -199,10 +202,12 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref commo
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Status of a credential issuer.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"strategies": {
 						SchemaProps: spec.SchemaProps{
+							Description: "List of integration strategies that were attempted by Pinniped.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
@@ -215,6 +220,7 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref commo
 					},
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
 							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
 						},
 					},
@@ -231,39 +237,45 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Status of an integration strategy that was attempted by Pinniped.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"type": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Type of integration attempted.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Status of the attempted integration strategy.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"reason": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Reason for the current status.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Human-readable description of the current status.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
+							Description: "When the status was last checked.",
 							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
 						},
 					},
 				},
-				Required: []string{"lastUpdateTime"},
+				Required: []string{"type", "status", "reason", "message", "lastUpdateTime"},
 			},
 		},
 		Dependencies: []string{

generated/1.17/crds/crd.pinniped.dev_credentialissuerconfigs.yaml

@@ -0,0 +1,110 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: credentialissuerconfigs.crd.pinniped.dev
+spec:
+  group: crd.pinniped.dev
+  names:
+    kind: CredentialIssuerConfig
+    listKind: CredentialIssuerConfigList
+    plural: credentialissuerconfigs
+    shortNames:
+    - cic
+    singular: credentialissuerconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Status of the credential issuer.
+            properties:
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using this credential issuer.
+                properties:
+                  certificateAuthorityData:
+                    description: The K8s API server CA bundle.
+                    minLength: 1
+                    type: string
+                  server:
+                    description: The K8s API server URL.
+                    minLength: 1
+                    pattern: ^https://|^http://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - server
+                type: object
+              strategies:
+                description: List of integration strategies that were attempted by
+                  Pinniped.
+                items:
+                  description: Status of an integration strategy that was attempted
+                    by Pinniped.
+                  properties:
+                    lastUpdateTime:
+                      description: When the status was last checked.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable description of the current status.
+                      minLength: 1
+                      type: string
+                    reason:
+                      description: Reason for the current status.
+                      enum:
+                      - FetchedKey
+                      - CouldNotFetchKey
+                      type: string
+                    status:
+                      description: Status of the attempted integration strategy.
+                      enum:
+                      - Success
+                      - Error
+                      type: string
+                    type:
+                      description: Type of integration attempted.
+                      enum:
+                      - KubeClusterSigningCertificate
+                      type: string
+                  required:
+                  - lastUpdateTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            required:
+            - strategies
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.18/README.adoc

@@ -12,7 +12,7 @@
 [id="{anchor_prefix}-crd-pinniped-dev-v1alpha1"]
 === crd.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped CRD-based API.
 
 
 
@@ -31,7 +31,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | 
+| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
 |===
 
 
@@ -48,8 +48,8 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`server`* __string__ | The K8s API server URL. Required.
+| *`server`* __string__ | The K8s API server URL.
-| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle. Required.
+| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle.
 |===
 
 
@@ -58,7 +58,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus"]
 ==== CredentialIssuerConfigStatus 
 
-
+Status of a credential issuer.
 
 .Appears In:
 ****
@@ -68,8 +68,8 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-crdpinniped-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | 
+| *`strategies`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-crdpinniped-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-crdpinniped-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | 
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-crdpinniped-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
 
 
@@ -86,11 +86,11 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`type`* __StrategyType__ | 
+| *`type`* __StrategyType__ | Type of integration attempted.
-| *`status`* __StrategyStatus__ | 
+| *`status`* __StrategyStatus__ | Status of the attempted integration strategy.
-| *`reason`* __StrategyReason__ | 
+| *`reason`* __StrategyReason__ | Reason for the current status.
-| *`message`* __string__ | 
+| *`message`* __string__ | Human-readable description of the current status.
-| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | 
+| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | When the status was last checked.
 |===
 
 
@@ -98,7 +98,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [id="{anchor_prefix}-pinniped-dev-v1alpha1"]
 === pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
 
 
 

generated/1.18/apis/crdpinniped/doc.go

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=crd.pinniped.dev
 
-// Package crdpinniped is the internal version of the API.
+// Package crdpinniped is the internal version of the Pinniped CRD-based API.
 package crdpinniped

generated/1.18/apis/crdpinniped/v1alpha1/doc.go

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=crd.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped CRD-based API.
 package v1alpha1

generated/1.18/apis/crdpinniped/v1alpha1/types.go

@@ -7,8 +7,13 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+// +kubebuilder:validation:Enum=KubeClusterSigningCertificate
 type StrategyType string
+
+// +kubebuilder:validation:Enum=Success;Error
 type StrategyStatus string
+
+// +kubebuilder:validation:Enum=FetchedKey;CouldNotFetchKey
 type StrategyReason string
 
 const (
@@ -21,39 +26,63 @@ const (
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
 )
 
+// Status of a credential issuer.
 type CredentialIssuerConfigStatus struct {
+	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
 
+	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
 	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 
+// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 type CredentialIssuerConfigKubeConfigInfo struct {
-	// The K8s API server URL. Required.
+	// The K8s API server URL.
-	Server string `json:"server,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
 
-	// The K8s API server CA bundle. Required.
+	// The K8s API server CA bundle.
-	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
+// Status of an integration strategy that was attempted by Pinniped.
 type CredentialIssuerConfigStrategy struct {
-	Type           StrategyType   `json:"type,omitempty"`
+	// Type of integration attempted.
-	Status         StrategyStatus `json:"status,omitempty"`
+	Type StrategyType `json:"type"`
-	Reason         StrategyReason `json:"reason,omitempty"`
+
-	Message        string         `json:"message,omitempty"`
+	// Status of the attempted integration strategy.
+	Status StrategyStatus `json:"status"`
+
+	// Reason for the current status.
+	Reason StrategyReason `json:"reason"`
+
+	// Human-readable description of the current status.
+	// +kubebuilder:validation:MinLength=1
+	Message string `json:"message"`
+
+	// When the status was last checked.
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+
+// Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=cic
 
 type CredentialIssuerConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// Status of the credential issuer.
 	Status CredentialIssuerConfigStatus `json:"status"`
 }
 
+
+// List of CredentialIssuerConfig objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type CredentialIssuerConfigList struct {

generated/1.18/apis/pinniped/doc.go

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=pinniped.dev
 
-// Package pinniped is the internal version of the API.
+// Package pinniped is the internal version of the Pinniped aggregated API.
 package pinniped

generated/1.18/apis/pinniped/v1alpha1/doc.go

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
 package v1alpha1

generated/1.18/client/openapi/zz_generated.openapi.go

@@ -111,6 +111,7 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfig(ref common.Refe
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Status of the credential issuer.",
 							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus"),
 						},
 					},
@@ -127,23 +128,25 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigKubeConfigInfo(r
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"server": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The K8s API server URL. Required.",
+							Description: "The K8s API server URL.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"certificateAuthorityData": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The K8s API server CA bundle. Required.",
+							Description: "The K8s API server CA bundle.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 				},
+				Required: []string{"server", "certificateAuthorityData"},
 			},
 		},
 	}
@@ -199,10 +202,12 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref commo
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Status of a credential issuer.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"strategies": {
 						SchemaProps: spec.SchemaProps{
+							Description: "List of integration strategies that were attempted by Pinniped.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
@@ -215,6 +220,7 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref commo
 					},
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
 							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
 						},
 					},
@@ -231,39 +237,45 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Status of an integration strategy that was attempted by Pinniped.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"type": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Type of integration attempted.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Status of the attempted integration strategy.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"reason": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Reason for the current status.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Human-readable description of the current status.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
+							Description: "When the status was last checked.",
 							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
 						},
 					},
 				},
-				Required: []string{"lastUpdateTime"},
+				Required: []string{"type", "status", "reason", "message", "lastUpdateTime"},
 			},
 		},
 		Dependencies: []string{

generated/1.18/crds/crd.pinniped.dev_credentialissuerconfigs.yaml

@@ -0,0 +1,110 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: credentialissuerconfigs.crd.pinniped.dev
+spec:
+  group: crd.pinniped.dev
+  names:
+    kind: CredentialIssuerConfig
+    listKind: CredentialIssuerConfigList
+    plural: credentialissuerconfigs
+    shortNames:
+    - cic
+    singular: credentialissuerconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Status of the credential issuer.
+            properties:
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using this credential issuer.
+                properties:
+                  certificateAuthorityData:
+                    description: The K8s API server CA bundle.
+                    minLength: 1
+                    type: string
+                  server:
+                    description: The K8s API server URL.
+                    minLength: 1
+                    pattern: ^https://|^http://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - server
+                type: object
+              strategies:
+                description: List of integration strategies that were attempted by
+                  Pinniped.
+                items:
+                  description: Status of an integration strategy that was attempted
+                    by Pinniped.
+                  properties:
+                    lastUpdateTime:
+                      description: When the status was last checked.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable description of the current status.
+                      minLength: 1
+                      type: string
+                    reason:
+                      description: Reason for the current status.
+                      enum:
+                      - FetchedKey
+                      - CouldNotFetchKey
+                      type: string
+                    status:
+                      description: Status of the attempted integration strategy.
+                      enum:
+                      - Success
+                      - Error
+                      type: string
+                    type:
+                      description: Type of integration attempted.
+                      enum:
+                      - KubeClusterSigningCertificate
+                      type: string
+                  required:
+                  - lastUpdateTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            required:
+            - strategies
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

generated/1.19/README.adoc

@@ -12,7 +12,7 @@
 [id="{anchor_prefix}-crd-pinniped-dev-v1alpha1"]
 === crd.pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped CRD-based API.
 
 
 
@@ -31,7 +31,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 | Field | Description
 | *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`.
 
-| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | 
+| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus[$$CredentialIssuerConfigStatus$$]__ | Status of the credential issuer.
 |===
 
 
@@ -48,8 +48,8 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`server`* __string__ | The K8s API server URL. Required.
+| *`server`* __string__ | The K8s API server URL.
-| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle. Required.
+| *`certificateAuthorityData`* __string__ | The K8s API server CA bundle.
 |===
 
 
@@ -58,7 +58,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-crdpinniped-v1alpha1-credentialissuerconfigstatus"]
 ==== CredentialIssuerConfigStatus 
 
-
+Status of a credential issuer.
 
 .Appears In:
 ****
@@ -68,8 +68,8 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`strategies`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-crdpinniped-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | 
+| *`strategies`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-crdpinniped-v1alpha1-credentialissuerconfigstrategy[$$CredentialIssuerConfigStrategy$$] array__ | List of integration strategies that were attempted by Pinniped.
-| *`kubeConfigInfo`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-crdpinniped-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | 
+| *`kubeConfigInfo`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-crdpinniped-v1alpha1-credentialissuerconfigkubeconfiginfo[$$CredentialIssuerConfigKubeConfigInfo$$]__ | Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 |===
 
 
@@ -86,11 +86,11 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [cols="25a,75a", options="header"]
 |===
 | Field | Description
-| *`type`* __StrategyType__ | 
+| *`type`* __StrategyType__ | Type of integration attempted.
-| *`status`* __StrategyStatus__ | 
+| *`status`* __StrategyStatus__ | Status of the attempted integration strategy.
-| *`reason`* __StrategyReason__ | 
+| *`reason`* __StrategyReason__ | Reason for the current status.
-| *`message`* __string__ | 
+| *`message`* __string__ | Human-readable description of the current status.
-| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | 
+| *`lastUpdateTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | When the status was last checked.
 |===
 
 
@@ -98,7 +98,7 @@ Package v1alpha1 is the v1alpha1 version of the API.
 [id="{anchor_prefix}-pinniped-dev-v1alpha1"]
 === pinniped.dev/v1alpha1
 
-Package v1alpha1 is the v1alpha1 version of the API.
+Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
 
 
 

generated/1.19/apis/crdpinniped/doc.go

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=crd.pinniped.dev
 
-// Package crdpinniped is the internal version of the API.
+// Package crdpinniped is the internal version of the Pinniped CRD-based API.
 package crdpinniped

generated/1.19/apis/crdpinniped/v1alpha1/doc.go

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=crd.pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped CRD-based API.
 package v1alpha1

generated/1.19/apis/crdpinniped/v1alpha1/types.go

@@ -7,8 +7,13 @@ package v1alpha1
 
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+// +kubebuilder:validation:Enum=KubeClusterSigningCertificate
 type StrategyType string
+
+// +kubebuilder:validation:Enum=Success;Error
 type StrategyStatus string
+
+// +kubebuilder:validation:Enum=FetchedKey;CouldNotFetchKey
 type StrategyReason string
 
 const (
@@ -21,39 +26,63 @@ const (
 	FetchedKeyStrategyReason       = StrategyReason("FetchedKey")
 )
 
+// Status of a credential issuer.
 type CredentialIssuerConfigStatus struct {
+	// List of integration strategies that were attempted by Pinniped.
 	Strategies []CredentialIssuerConfigStrategy `json:"strategies"`
 
+	// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 	// +optional
 	KubeConfigInfo *CredentialIssuerConfigKubeConfigInfo `json:"kubeConfigInfo,omitempty"`
 }
 
+// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.
 type CredentialIssuerConfigKubeConfigInfo struct {
-	// The K8s API server URL. Required.
+	// The K8s API server URL.
-	Server string `json:"server,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^https://|^http://`
+	Server string `json:"server"`
 
-	// The K8s API server CA bundle. Required.
+	// The K8s API server CA bundle.
-	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
+	// +kubebuilder:validation:MinLength=1
+	CertificateAuthorityData string `json:"certificateAuthorityData"`
 }
 
+// Status of an integration strategy that was attempted by Pinniped.
 type CredentialIssuerConfigStrategy struct {
-	Type           StrategyType   `json:"type,omitempty"`
+	// Type of integration attempted.
-	Status         StrategyStatus `json:"status,omitempty"`
+	Type StrategyType `json:"type"`
-	Reason         StrategyReason `json:"reason,omitempty"`
+
-	Message        string         `json:"message,omitempty"`
+	// Status of the attempted integration strategy.
+	Status StrategyStatus `json:"status"`
+
+	// Reason for the current status.
+	Reason StrategyReason `json:"reason"`
+
+	// Human-readable description of the current status.
+	// +kubebuilder:validation:MinLength=1
+	Message string `json:"message"`
+
+	// When the status was last checked.
 	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
 }
 
+
+// Describes the configuration status of a Pinniped credential issuer.
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=cic
 
 type CredentialIssuerConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// Status of the credential issuer.
 	Status CredentialIssuerConfigStatus `json:"status"`
 }
 
+
+// List of CredentialIssuerConfig objects.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type CredentialIssuerConfigList struct {

generated/1.19/apis/pinniped/doc.go

@@ -6,5 +6,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:deepcopy-gen=package
 // +groupName=pinniped.dev
 
-// Package pinniped is the internal version of the API.
+// Package pinniped is the internal version of the Pinniped aggregated API.
 package pinniped

generated/1.19/apis/pinniped/v1alpha1/doc.go

@@ -9,5 +9,5 @@ SPDX-License-Identifier: Apache-2.0
 // +k8s:defaulter-gen=TypeMeta
 // +groupName=pinniped.dev
 
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API.
 package v1alpha1

generated/1.19/client/openapi/zz_generated.openapi.go

@@ -112,6 +112,7 @@ func schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfig(ref common.Refe
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Status of the credential issuer.",
 							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus"),
 						},
 					},
@@ -128,23 +129,25 @@ func schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigKubeConfigInfo(r
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"server": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The K8s API server URL. Required.",
+							Description: "The K8s API server URL.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"certificateAuthorityData": {
 						SchemaProps: spec.SchemaProps{
-							Description: "The K8s API server CA bundle. Required.",
+							Description: "The K8s API server CA bundle.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 				},
+				Required: []string{"server", "certificateAuthorityData"},
 			},
 		},
 	}
@@ -200,10 +203,12 @@ func schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref commo
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Status of a credential issuer.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"strategies": {
 						SchemaProps: spec.SchemaProps{
+							Description: "List of integration strategies that were attempted by Pinniped.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
@@ -216,6 +221,7 @@ func schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref commo
 					},
 					"kubeConfigInfo": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Information needed to form a valid Pinniped-based kubeconfig using this credential issuer.",
 							Ref:         ref("github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigKubeConfigInfo"),
 						},
 					},
@@ -232,39 +238,45 @@ func schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
+				Description: "Status of an integration strategy that was attempted by Pinniped.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"type": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Type of integration attempted.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Status of the attempted integration strategy.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"reason": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Reason for the current status.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"message": {
 						SchemaProps: spec.SchemaProps{
+							Description: "Human-readable description of the current status.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"lastUpdateTime": {
 						SchemaProps: spec.SchemaProps{
+							Description: "When the status was last checked.",
 							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
 						},
 					},
 				},
-				Required: []string{"lastUpdateTime"},
+				Required: []string{"type", "status", "reason", "message", "lastUpdateTime"},
 			},
 		},
 		Dependencies: []string{

generated/1.19/crds/crd.pinniped.dev_credentialissuerconfigs.yaml

@@ -0,0 +1,110 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: credentialissuerconfigs.crd.pinniped.dev
+spec:
+  group: crd.pinniped.dev
+  names:
+    kind: CredentialIssuerConfig
+    listKind: CredentialIssuerConfigList
+    plural: credentialissuerconfigs
+    shortNames:
+    - cic
+    singular: credentialissuerconfig
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Status of the credential issuer.
+            properties:
+              kubeConfigInfo:
+                description: Information needed to form a valid Pinniped-based kubeconfig
+                  using this credential issuer.
+                properties:
+                  certificateAuthorityData:
+                    description: The K8s API server CA bundle.
+                    minLength: 1
+                    type: string
+                  server:
+                    description: The K8s API server URL.
+                    minLength: 1
+                    pattern: ^https://|^http://
+                    type: string
+                required:
+                - certificateAuthorityData
+                - server
+                type: object
+              strategies:
+                description: List of integration strategies that were attempted by
+                  Pinniped.
+                items:
+                  description: Status of an integration strategy that was attempted
+                    by Pinniped.
+                  properties:
+                    lastUpdateTime:
+                      description: When the status was last checked.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable description of the current status.
+                      minLength: 1
+                      type: string
+                    reason:
+                      description: Reason for the current status.
+                      enum:
+                      - FetchedKey
+                      - CouldNotFetchKey
+                      type: string
+                    status:
+                      description: Status of the attempted integration strategy.
+                      enum:
+                      - Success
+                      - Error
+                      type: string
+                    type:
+                      description: Type of integration attempted.
+                      enum:
+                      - KubeClusterSigningCertificate
+                      type: string
+                  required:
+                  - lastUpdateTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            required:
+            - strategies
+            type: object
+        required:
+        - status
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

hack/lib/update-codegen.sh

@@ -152,3 +152,8 @@ crd-ref-docs \
     --renderer=asciidoctor \
     --templates-dir="${ROOT}/hack/lib/docs/templates" \
     --output-path="${ROOT}/generated/${KUBE_MINOR_VERSION}/README.adoc"
+
+# Generate CRD YAML
+(cd apis &&
+    controller-gen paths=./crdpinniped/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds
+)

hack/update.sh

@@ -8,4 +8,5 @@ set -euo pipefail
 ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
 
 xargs "$ROOT/hack/lib/update-codegen.sh" < "${ROOT}/hack/lib/kube-versions.txt"
+cp "$ROOT/generated/1.19/crds/crd.pinniped.dev_credentialissuerconfigs.yaml" "$ROOT/deploy/crd.yaml"
 "$ROOT/hack/module.sh" tidy