From 96d7743eabdb286ccb5870017ee7f1815cc0703e Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 24 Feb 2021 10:45:25 -0600 Subject: [PATCH] Add CredentialIssuer API fields for impersonation proxy. Adds a new optional `spec.impersonationProxyInfo` field to hold the URL and CA data for the impersonation proxy, as well as some additional status condition constants for describing the current status of the impersonation proxy. Signed-off-by: Matt Moyer --- .../v1alpha1/types_credentialissuer.go.tmpl | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl index 63d59446..5af75b73 100644 --- a/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl +++ b/apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl @@ -16,12 +16,15 @@ type StrategyReason string const ( KubeClusterSigningCertificateStrategyType = StrategyType("KubeClusterSigningCertificate") + ImpersonationProxyStrategyType = StrategyType("ImpersonationProxy") SuccessStrategyStatus = StrategyStatus("Success") ErrorStrategyStatus = StrategyStatus("Error") CouldNotFetchKeyStrategyReason = StrategyReason("CouldNotFetchKey") FetchedKeyStrategyReason = StrategyReason("FetchedKey") + ListeningStrategyReason = StrategyReason("Listening") + DisabledStrategyReason = StrategyReason("Disabled") ) // Status of a credential issuer. @@ -29,19 +32,35 @@ type CredentialIssuerStatus struct { // List of integration strategies that were attempted by Pinniped. Strategies []CredentialIssuerStrategy `json:"strategies"` - // Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. + // Information needed to form a valid Pinniped-based kubeconfig using the TokenCredentialRequest API. // +optional KubeConfigInfo *CredentialIssuerKubeConfigInfo `json:"kubeConfigInfo,omitempty"` + + // Information needed to form a valid Pinniped-based kubeconfig using the impersonation proxy. + // +optional + ImpersonationProxyInfo *CredentialIssuerImpersonationProxyInfo `json:"impersonationProxyInfo,omitempty"` } -// Information needed to form a valid Pinniped-based kubeconfig using this credential issuer. +// Information needed to connect to the TokenCredentialRequest API on this cluster. type CredentialIssuerKubeConfigInfo struct { - // The K8s API server URL. + // The Kubernetes API server URL. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:Pattern=`^https://|^http://` Server string `json:"server"` - // The K8s API server CA bundle. + // The Kubernetes API server CA bundle. + // +kubebuilder:validation:MinLength=1 + CertificateAuthorityData string `json:"certificateAuthorityData"` +} + +// Information needed to connect to the TokenCredentialRequest API on this cluster. +type CredentialIssuerImpersonationProxyInfo struct { + // The HTTPS endpoint of the impersonation proxy. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // The CA bundle to validate connections to the impersonation proxy. // +kubebuilder:validation:MinLength=1 CertificateAuthorityData string `json:"certificateAuthorityData"` }