From 8df9033bfcd3dc270fe6ad2099ed0f039711d3a7 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 20 Jul 2023 12:06:09 -0500 Subject: [PATCH] Add CredentialIssuer.Spec.ImpersonationProxy.TLS to configure an externally provided TLS secret --- .../v1alpha1/types_credentialissuer.go.tmpl | 23 ++++++++++++++++++- ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.17/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.18/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.19/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.20/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.21/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.22/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.23/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.24/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.25/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.26/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ generated/1.27/README.adoc | 19 +++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ ...cierge.pinniped.dev_credentialissuers.yaml | 17 ++++++++++++++ .../config/v1alpha1/types_credentialissuer.go | 23 ++++++++++++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 21 +++++++++++++++++ 48 files changed, 951 insertions(+), 13 deletions(-) diff --git a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl index d1cb160b..1e869247 100644 --- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl +++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 78ee0c31..3fef5a09 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.17/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.17/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.17/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 06536d63..f68201ae 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.18/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.18/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.18/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index abafdbf0..192ffaa7 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.19/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.19/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.19/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.20/README.adoc b/generated/1.20/README.adoc index 56e3bb2b..4bc125c3 100644 --- a/generated/1.20/README.adoc +++ b/generated/1.20/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-20-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.20/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.20/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.20/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.21/README.adoc b/generated/1.21/README.adoc index 3a8e9036..1c9167e1 100644 --- a/generated/1.21/README.adoc +++ b/generated/1.21/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-21-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.21/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.21/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.21/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.22/README.adoc b/generated/1.22/README.adoc index d7335467..6b6f46cc 100644 --- a/generated/1.22/README.adoc +++ b/generated/1.22/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-22-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.22/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.22/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.22/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.22/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.22/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.22/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.23/README.adoc b/generated/1.23/README.adoc index c08364bc..caf71a7a 100644 --- a/generated/1.23/README.adoc +++ b/generated/1.23/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-23-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.23/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.23/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.23/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.23/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.23/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.23/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 128e88a6..c0efdc4c 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -568,6 +568,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.24/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.24/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.24/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 314d1c11..15332b46 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -566,6 +566,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.25/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.25/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index 6e3a4d4f..c68d22d4 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -566,6 +566,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.26/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.26/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.26/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.26/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.26/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index c099d557..f4fbe660 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -566,6 +566,25 @@ ImpersonationProxySpec describes the intended configuration of the Concierge imp | *`service`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyservicespec[$$ImpersonationProxyServiceSpec$$]__ | Service describes the configuration of the Service provisioned to expose the impersonation proxy to clients. | *`externalEndpoint`* __string__ | ExternalEndpoint describes the HTTPS endpoint where the proxy will be exposed. If not set, the proxy will be served using the external name of the LoadBalancer service or the cluster service DNS name. This field must be non-empty when spec.impersonationProxy.service.type is "None". +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec[$$ImpersonationProxyTLSSpec$$]__ | TLS contains information about how the Concierge impersonation proxy should serve TLS. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxytlsspec"] +==== ImpersonationProxyTLSSpec + +ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should serve TLS. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-config-v1alpha1-impersonationproxyspec[$$ImpersonationProxySpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). Used to advertise the CA bundle for the impersonation proxy endpoint. +| *`secretName`* __string__ | SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains the TLS serving certificate for the Concierge impersonation proxy endpoint. |=== diff --git a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/1.27/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/1.27/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/1.27/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.27/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in diff --git a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml index faa2b6d3..76b3a3db 100644 --- a/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml +++ b/generated/1.27/crds/config.concierge.pinniped.dev_credentialissuers.yaml @@ -103,6 +103,23 @@ spec: - None type: string type: object + tls: + description: TLS contains information about how the Concierge + impersonation proxy should serve TLS. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM + bundle). Used to advertise the CA bundle for the impersonation + proxy endpoint. + type: string + secretName: + description: SecretName is the name of a Secret in the same + namespace, of type `kubernetes.io/tls`, which contains the + TLS serving certificate for the Concierge impersonation + proxy endpoint. + minLength: 1 + type: string + type: object required: - mode - service diff --git a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go index d1cb160b..1e869247 100644 --- a/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go +++ b/generated/latest/apis/concierge/config/v1alpha1/types_credentialissuer.go @@ -1,4 +1,4 @@ -// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package v1alpha1 @@ -80,6 +80,22 @@ const ( ImpersonationProxyServiceTypeNone = ImpersonationProxyServiceType("None") ) +// ImpersonationProxyTLSSpec contains information about how the Concierge impersonation proxy should +// serve TLS. +type ImpersonationProxyTLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). + // Used to advertise the CA bundle for the impersonation proxy endpoint. + // + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + + // SecretName is the name of a Secret in the same namespace, of type `kubernetes.io/tls`, which contains + // the TLS serving certificate for the Concierge impersonation proxy endpoint. + // + // +kubebuilder:validation:MinLength=1 + SecretName string `json:"secretName,omitempty"` +} + // ImpersonationProxySpec describes the intended configuration of the Concierge impersonation proxy. type ImpersonationProxySpec struct { // Mode configures whether the impersonation proxy should be started: @@ -100,6 +116,11 @@ type ImpersonationProxySpec struct { // // +optional ExternalEndpoint string `json:"externalEndpoint,omitempty"` + + // TLS contains information about how the Concierge impersonation proxy should serve TLS. + // + // +optional + TLS *ImpersonationProxyTLSSpec `json:"tls,omitempty"` } // ImpersonationProxyServiceSpec describes how the Concierge should provision a Service to expose the impersonation proxy. diff --git a/generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go index 1d2678de..d4a01ba4 100644 --- a/generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/concierge/config/v1alpha1/zz_generated.deepcopy.go @@ -229,6 +229,11 @@ func (in *ImpersonationProxyServiceSpec) DeepCopy() *ImpersonationProxyServiceSp func (in *ImpersonationProxySpec) DeepCopyInto(out *ImpersonationProxySpec) { *out = *in in.Service.DeepCopyInto(&out.Service) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(ImpersonationProxyTLSSpec) + **out = **in + } return } @@ -242,6 +247,22 @@ func (in *ImpersonationProxySpec) DeepCopy() *ImpersonationProxySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ImpersonationProxyTLSSpec) DeepCopyInto(out *ImpersonationProxyTLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImpersonationProxyTLSSpec. +func (in *ImpersonationProxyTLSSpec) DeepCopy() *ImpersonationProxyTLSSpec { + if in == nil { + return nil + } + out := new(ImpersonationProxyTLSSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenCredentialRequestAPIInfo) DeepCopyInto(out *TokenCredentialRequestAPIInfo) { *out = *in