diff --git a/.golangci.yaml b/.golangci.yaml index ec1e153c..9578fd7e 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -60,7 +60,7 @@ issues: linters-settings: funlen: - lines: 125 + lines: 150 statements: 50 goheader: template: |- diff --git a/Dockerfile b/Dockerfile index aea42a74..7ddea4d4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,6 +25,7 @@ RUN mkdir out \ # Use a runtime image based on Debian slim FROM debian:10.6-slim +RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/* # Copy the binaries from the build-env stage COPY --from=build-env /work/out/pinniped-concierge /usr/local/bin/pinniped-concierge diff --git a/apis/supervisor/idp/v1alpha1/doc.go.tmpl b/apis/supervisor/idp/v1alpha1/doc.go.tmpl new file mode 100644 index 00000000..71f2737d --- /dev/null +++ b/apis/supervisor/idp/v1alpha1/doc.go.tmpl @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.supervisor.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. +package v1alpha1 diff --git a/apis/supervisor/idp/v1alpha1/register.go.tmpl b/apis/supervisor/idp/v1alpha1/register.go.tmpl new file mode 100644 index 00000000..67e549f9 --- /dev/null +++ b/apis/supervisor/idp/v1alpha1/register.go.tmpl @@ -0,0 +1,43 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &UpstreamOIDCProvider{}, + &UpstreamOIDCProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/apis/supervisor/idp/v1alpha1/types_meta.go.tmpl b/apis/supervisor/idp/v1alpha1/types_meta.go.tmpl new file mode 100644 index 00000000..e59976ff --- /dev/null +++ b/apis/supervisor/idp/v1alpha1/types_meta.go.tmpl @@ -0,0 +1,75 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl new file mode 100644 index 00000000..fa4db315 --- /dev/null +++ b/apis/supervisor/idp/v1alpha1/types_tls.go.tmpl @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Configuration for TLS parameters related to identity provider integration. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go.tmpl b/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go.tmpl new file mode 100644 index 00000000..ea12b063 --- /dev/null +++ b/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go.tmpl @@ -0,0 +1,123 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type UpstreamOIDCProviderPhase string + +const ( + // PhasePending is the default phase for newly-created UpstreamOIDCProvider resources. + PhasePending UpstreamOIDCProviderPhase = "Pending" + + // PhaseReady is the phase for an UpstreamOIDCProvider resource in a healthy state. + PhaseReady UpstreamOIDCProviderPhase = "Ready" + + // PhaseError is the phase for an UpstreamOIDCProvider in an unhealthy state. + PhaseError UpstreamOIDCProviderPhase = "Error" +) + +// Status of an OIDC identity provider. +type UpstreamOIDCProviderStatus struct { + // Phase summarizes the overall status of the UpstreamOIDCProvider. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase UpstreamOIDCProviderPhase `json:"phase,omitempty"` + + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization +// request parameters. +type OIDCAuthorizationConfig struct { + // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization + // request flow with an OIDC identity provider. By default only the "openid" scope will be requested. + // +optional + AdditionalScopes []string `json:"additionalScopes"` +} + +// OIDCClaims provides a mapping from upstream claims into identities. +type OIDCClaims struct { + // Groups provides the name of the token claim that will be used to ascertain the groups to which + // an identity belongs. + // +optional + Groups string `json:"groups"` + + // Username provides the name of the token claim that will be used to ascertain an identity's + // username. + // +optional + Username string `json:"username"` +} + +// OIDCClient contains information about an OIDC client (e.g., client ID and client +// secret). +type OIDCClient struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + // struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys + // "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// Spec for configuring an OIDC identity provider. +type UpstreamOIDCProviderSpec struct { + // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + // /.well-known/openid-configuration. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Issuer string `json:"issuer"` + + // TLS configuration for discovery/JWKS requests to the issuer. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` + + // AuthorizationConfig holds information about how to form the OAuth2 authorization request + // parameters to be used with this OIDC identity provider. + // +optional + AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig"` + + // Claims provides the names of token claims that will be used when inspecting an identity from + // this OIDC identity provider. + // +optional + Claims OIDCClaims `json:"claims"` + + // OIDCClient contains OIDC client information to be used used with this OIDC identity + // provider. + Client OIDCClient `json:"client"` +} + +// UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type UpstreamOIDCProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec UpstreamOIDCProviderSpec `json:"spec"` + + // Status of the identity provider. + Status UpstreamOIDCProviderStatus `json:"status,omitempty"` +} + +// List of UpstreamOIDCProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type UpstreamOIDCProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []UpstreamOIDCProvider `json:"items"` +} diff --git a/cmd/pinniped-supervisor/main.go b/cmd/pinniped-supervisor/main.go index 18d69d58..d2bfc7f5 100644 --- a/cmd/pinniped-supervisor/main.go +++ b/cmd/pinniped-supervisor/main.go @@ -22,11 +22,13 @@ import ( restclient "k8s.io/client-go/rest" "k8s.io/component-base/logs" "k8s.io/klog/v2" + "k8s.io/klog/v2/klogr" pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" pinnipedinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions" "go.pinniped.dev/internal/config/supervisor" "go.pinniped.dev/internal/controller/supervisorconfig" + "go.pinniped.dev/internal/controller/supervisorconfig/upstreamwatcher" "go.pinniped.dev/internal/controllerlib" "go.pinniped.dev/internal/downward" "go.pinniped.dev/internal/oidc/jwks" @@ -73,6 +75,7 @@ func startControllers( issuerManager *manager.Manager, dynamicJWKSProvider jwks.DynamicJWKSProvider, dynamicTLSCertProvider provider.DynamicTLSCertProvider, + dynamicUpstreamIDPProvider provider.DynamicUpstreamIDPProvider, kubeClient kubernetes.Interface, pinnipedClient pinnipedclientset.Interface, kubeInformers kubeinformers.SharedInformerFactory, @@ -120,7 +123,15 @@ func startControllers( controllerlib.WithInformer, ), singletonWorker, - ) + ). + WithController( + upstreamwatcher.New( + dynamicUpstreamIDPProvider, + pinnipedClient, + pinnipedInformers.IDP().V1alpha1().UpstreamOIDCProviders(), + kubeInformers.Core().V1().Secrets(), + klogr.New()), + singletonWorker) kubeInformers.Start(ctx.Done()) pinnipedInformers.Start(ctx.Done()) @@ -193,6 +204,7 @@ func run(serverInstallationNamespace string, cfg *supervisor.Config) error { oidProvidersManager, dynamicJWKSProvider, dynamicTLSCertProvider, + dynamicUpstreamIDPProvider, kubeClient, pinnipedClient, kubeInformers, diff --git a/cmd/pinniped/cmd/login_oidc.go b/cmd/pinniped/cmd/login_oidc.go index 3754f06a..bf12e7be 100644 --- a/cmd/pinniped/cmd/login_oidc.go +++ b/cmd/pinniped/cmd/login_oidc.go @@ -4,7 +4,12 @@ package cmd import ( + "crypto/tls" + "crypto/x509" "encoding/json" + "fmt" + "io/ioutil" + "net/http" "os" "path/filepath" @@ -36,6 +41,7 @@ func oidcLoginCommand(loginFunc func(issuer string, clientID string, opts ...oid scopes []string skipBrowser bool sessionCachePath string + caBundlePaths []string debugSessionCache bool ) cmd.Flags().StringVar(&issuer, "issuer", "", "OpenID Connect issuer URL.") @@ -44,6 +50,7 @@ func oidcLoginCommand(loginFunc func(issuer string, clientID string, opts ...oid cmd.Flags().StringSliceVar(&scopes, "scopes", []string{"offline_access", "openid", "email", "profile"}, "OIDC scopes to request during login.") cmd.Flags().BoolVar(&skipBrowser, "skip-browser", false, "Skip opening the browser (just print the URL).") cmd.Flags().StringVar(&sessionCachePath, "session-cache", filepath.Join(mustGetConfigDir(), "sessions.yaml"), "Path to session cache file.") + cmd.Flags().StringSliceVar(&caBundlePaths, "ca-bundle", nil, "Path to TLS certificate authority bundle (PEM format, optional, can be repeated).") cmd.Flags().BoolVar(&debugSessionCache, "debug-session-cache", false, "Print debug logs related to the session cache.") mustMarkHidden(&cmd, "debug-session-cache") mustMarkRequired(&cmd, "issuer", "client-id") @@ -80,6 +87,27 @@ func oidcLoginCommand(loginFunc func(issuer string, clientID string, opts ...oid })) } + if len(caBundlePaths) > 0 { + pool := x509.NewCertPool() + for _, p := range caBundlePaths { + pem, err := ioutil.ReadFile(p) + if err != nil { + return fmt.Errorf("could not read --ca-bundle: %w", err) + } + pool.AppendCertsFromPEM(pem) + } + tlsConfig := tls.Config{ + RootCAs: pool, + MinVersion: tls.VersionTLS12, + } + opts = append(opts, oidcclient.WithClient(&http.Client{ + Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tlsConfig, + }, + })) + } + tok, err := loginFunc(issuer, clientID, opts...) if err != nil { return err diff --git a/cmd/pinniped/cmd/login_oidc_test.go b/cmd/pinniped/cmd/login_oidc_test.go index 637a7af4..a8bb03ed 100644 --- a/cmd/pinniped/cmd/login_oidc_test.go +++ b/cmd/pinniped/cmd/login_oidc_test.go @@ -40,6 +40,7 @@ func TestLoginOIDCCommand(t *testing.T) { oidc --issuer ISSUER --client-id CLIENT_ID [flags] Flags: + --ca-bundle strings Path to TLS certificate authority bundle (PEM format, optional, can be repeated). --client-id string OpenID Connect client ID. -h, --help help for oidc --issuer string OpenID Connect issuer URL. diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml new file mode 100644 index 00000000..780fe6fe --- /dev/null +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml @@ -0,0 +1,205 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: upstreamoidcproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: UpstreamOIDCProvider + listKind: UpstreamOIDCProviderList + plural: upstreamoidcproviders + singular: upstreamoidcprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.issuer + name: Issuer + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: UpstreamOIDCProvider describes the configuration of an upstream + OpenID Connect identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + authorizationConfig: + description: AuthorizationConfig holds information about how to form + the OAuth2 authorization request parameters to be used with this + OIDC identity provider. + properties: + additionalScopes: + description: AdditionalScopes are the scopes in addition to "openid" + that will be requested as part of the authorization request + flow with an OIDC identity provider. By default only the "openid" + scope will be requested. + items: + type: string + type: array + type: object + claims: + description: Claims provides the names of token claims that will be + used when inspecting an identity from this OIDC identity provider. + properties: + groups: + description: Groups provides the name of the token claim that + will be used to ascertain the groups to which an identity belongs. + type: string + username: + description: Username provides the name of the token claim that + will be used to ascertain an identity's username. + type: string + type: object + client: + description: OIDCClient contains OIDC client information to be used + used with this OIDC identity provider. + properties: + secretName: + description: SecretName contains the name of a namespace-local + Secret object that provides the clientID and clientSecret for + an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" + with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + issuer: + description: Issuer is the issuer URL of this OIDC identity provider, + i.e., where to fetch /.well-known/openid-configuration. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration for discovery/JWKS requests to the + issuer. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - client + - issuer + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the UpstreamOIDCProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/deploy/supervisor/rbac.yaml b/deploy/supervisor/rbac.yaml index f260547d..33e86585 100644 --- a/deploy/supervisor/rbac.yaml +++ b/deploy/supervisor/rbac.yaml @@ -19,6 +19,12 @@ rules: - apiGroups: [config.supervisor.pinniped.dev] resources: [oidcproviders] verbs: [update, get, list, watch] + - apiGroups: [idp.supervisor.pinniped.dev] + resources: [upstreamoidcproviders] + verbs: [get, list, watch] + - apiGroups: [idp.supervisor.pinniped.dev] + resources: [upstreamoidcproviders/status] + verbs: [get, patch, update] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/deploy/supervisor/z0_crd_overlay.yaml b/deploy/supervisor/z0_crd_overlay.yaml index 6269da1f..b51556c5 100644 --- a/deploy/supervisor/z0_crd_overlay.yaml +++ b/deploy/supervisor/z0_crd_overlay.yaml @@ -9,3 +9,9 @@ metadata: #@overlay/match missing_ok=True labels: #@ labels() + +#@overlay/match by=overlay.subset({"kind": "CustomResourceDefinition", "metadata":{"name":"upstreamoidcproviders.idp.supervisor.pinniped.dev"}}), expects=1 +--- +metadata: + #@overlay/match missing_ok=True + labels: #@ labels() diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index dbac1c60..a81aa6e9 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -8,6 +8,7 @@ - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] @@ -291,6 +292,166 @@ OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC +[id="{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1"] +=== idp.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"] +==== OIDCAuthorizationConfig + +OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclaims"] +==== OIDCClaims + +OIDCClaims provides a mapping from upstream claims into identities. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. +| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient contains information about an OIDC client (e.g., client ID and client secret). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for TLS parameters related to identity provider integration. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcprovider"] +==== UpstreamOIDCProvider + +UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderlist[$$UpstreamOIDCProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec"] +==== UpstreamOIDCProviderSpec + +Spec for configuring an OIDC identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for discovery/JWKS requests to the issuer. +| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider. +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclaims[$$OIDCClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-oidcclient[$$OIDCClient$$]__ | OIDCClient contains OIDC client information to be used used with this OIDC identity provider. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus"] +==== UpstreamOIDCProviderStatus + +Status of an OIDC identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __UpstreamOIDCProviderPhase__ | Phase summarizes the overall status of the UpstreamOIDCProvider. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-17-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] === login.concierge.pinniped.dev/v1alpha1 diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/doc.go b/generated/1.17/apis/supervisor/idp/v1alpha1/doc.go new file mode 100644 index 00000000..71f2737d --- /dev/null +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.supervisor.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. +package v1alpha1 diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/register.go b/generated/1.17/apis/supervisor/idp/v1alpha1/register.go new file mode 100644 index 00000000..67e549f9 --- /dev/null +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &UpstreamOIDCProvider{}, + &UpstreamOIDCProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/types_meta.go b/generated/1.17/apis/supervisor/idp/v1alpha1/types_meta.go new file mode 100644 index 00000000..e59976ff --- /dev/null +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.17/apis/supervisor/idp/v1alpha1/types_tls.go new file mode 100644 index 00000000..fa4db315 --- /dev/null +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_tls.go @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Configuration for TLS parameters related to identity provider integration. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go b/generated/1.17/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go new file mode 100644 index 00000000..ea12b063 --- /dev/null +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go @@ -0,0 +1,123 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type UpstreamOIDCProviderPhase string + +const ( + // PhasePending is the default phase for newly-created UpstreamOIDCProvider resources. + PhasePending UpstreamOIDCProviderPhase = "Pending" + + // PhaseReady is the phase for an UpstreamOIDCProvider resource in a healthy state. + PhaseReady UpstreamOIDCProviderPhase = "Ready" + + // PhaseError is the phase for an UpstreamOIDCProvider in an unhealthy state. + PhaseError UpstreamOIDCProviderPhase = "Error" +) + +// Status of an OIDC identity provider. +type UpstreamOIDCProviderStatus struct { + // Phase summarizes the overall status of the UpstreamOIDCProvider. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase UpstreamOIDCProviderPhase `json:"phase,omitempty"` + + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization +// request parameters. +type OIDCAuthorizationConfig struct { + // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization + // request flow with an OIDC identity provider. By default only the "openid" scope will be requested. + // +optional + AdditionalScopes []string `json:"additionalScopes"` +} + +// OIDCClaims provides a mapping from upstream claims into identities. +type OIDCClaims struct { + // Groups provides the name of the token claim that will be used to ascertain the groups to which + // an identity belongs. + // +optional + Groups string `json:"groups"` + + // Username provides the name of the token claim that will be used to ascertain an identity's + // username. + // +optional + Username string `json:"username"` +} + +// OIDCClient contains information about an OIDC client (e.g., client ID and client +// secret). +type OIDCClient struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + // struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys + // "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// Spec for configuring an OIDC identity provider. +type UpstreamOIDCProviderSpec struct { + // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + // /.well-known/openid-configuration. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Issuer string `json:"issuer"` + + // TLS configuration for discovery/JWKS requests to the issuer. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` + + // AuthorizationConfig holds information about how to form the OAuth2 authorization request + // parameters to be used with this OIDC identity provider. + // +optional + AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig"` + + // Claims provides the names of token claims that will be used when inspecting an identity from + // this OIDC identity provider. + // +optional + Claims OIDCClaims `json:"claims"` + + // OIDCClient contains OIDC client information to be used used with this OIDC identity + // provider. + Client OIDCClient `json:"client"` +} + +// UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type UpstreamOIDCProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec UpstreamOIDCProviderSpec `json:"spec"` + + // Status of the identity provider. + Status UpstreamOIDCProviderStatus `json:"status,omitempty"` +} + +// List of UpstreamOIDCProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type UpstreamOIDCProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []UpstreamOIDCProvider `json:"items"` +} diff --git a/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..9eeade4e --- /dev/null +++ b/generated/1.17/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,206 @@ +// +build !ignore_autogenerated + +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { + *out = *in + if in.AdditionalScopes != nil { + in, out := &in.AdditionalScopes, &out.AdditionalScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig. +func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { + if in == nil { + return nil + } + out := new(OIDCAuthorizationConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims. +func (in *OIDCClaims) DeepCopy() *OIDCClaims { + if in == nil { + return nil + } + out := new(OIDCClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProvider) DeepCopyInto(out *UpstreamOIDCProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProvider. +func (in *UpstreamOIDCProvider) DeepCopy() *UpstreamOIDCProvider { + if in == nil { + return nil + } + out := new(UpstreamOIDCProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *UpstreamOIDCProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderList) DeepCopyInto(out *UpstreamOIDCProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]UpstreamOIDCProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderList. +func (in *UpstreamOIDCProviderList) DeepCopy() *UpstreamOIDCProviderList { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *UpstreamOIDCProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderSpec) DeepCopyInto(out *UpstreamOIDCProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) + out.Claims = in.Claims + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderSpec. +func (in *UpstreamOIDCProviderSpec) DeepCopy() *UpstreamOIDCProviderSpec { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderStatus) DeepCopyInto(out *UpstreamOIDCProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderStatus. +func (in *UpstreamOIDCProviderStatus) DeepCopy() *UpstreamOIDCProviderStatus { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/clientset.go b/generated/1.17/client/supervisor/clientset/versioned/clientset.go index 802140db..b77fa974 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.17/client/supervisor/clientset/versioned/clientset.go @@ -9,6 +9,7 @@ import ( "fmt" configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -17,6 +18,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -24,6 +26,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -31,6 +34,11 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return c.configV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -56,6 +64,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -69,6 +81,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -78,6 +91,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go index 304bde35..9f9197ce 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -9,6 +9,8 @@ import ( clientset "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned" configv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" + idpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,3 +69,8 @@ var _ clientset.Interface = &Clientset{} func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} } + +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go index fc38dca9..20893b1c 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/fake/register.go @@ -7,6 +7,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,6 +20,7 @@ var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go index 46ce4ebd..d71def19 100644 --- a/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.17/client/supervisor/clientset/versioned/scheme/register.go @@ -7,6 +7,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,6 +20,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 00000000..f75bf91f --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7879170d --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 00000000..28f33fa3 --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,27 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) UpstreamOIDCProviders(namespace string) v1alpha1.UpstreamOIDCProviderInterface { + return &FakeUpstreamOIDCProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go new file mode 100644 index 00000000..167261ea --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go @@ -0,0 +1,127 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeUpstreamOIDCProviders implements UpstreamOIDCProviderInterface +type FakeUpstreamOIDCProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var upstreamoidcprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "upstreamoidcproviders"} + +var upstreamoidcprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "UpstreamOIDCProvider"} + +// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any. +func (c *FakeUpstreamOIDCProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors. +func (c *FakeUpstreamOIDCProviders) List(opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(upstreamoidcprovidersResource, upstreamoidcprovidersKind, c.ns, opts), &v1alpha1.UpstreamOIDCProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.UpstreamOIDCProviderList{ListMeta: obj.(*v1alpha1.UpstreamOIDCProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.UpstreamOIDCProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders. +func (c *FakeUpstreamOIDCProviders) Watch(opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(upstreamoidcprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a upstreamOIDCProvider and creates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *FakeUpstreamOIDCProviders) Create(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *FakeUpstreamOIDCProviders) Update(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeUpstreamOIDCProviders) UpdateStatus(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(upstreamoidcprovidersResource, "status", c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs. +func (c *FakeUpstreamOIDCProviders) Delete(name string, options *v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeUpstreamOIDCProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(upstreamoidcprovidersResource, c.ns, listOptions) + + _, err := c.Fake.Invokes(action, &v1alpha1.UpstreamOIDCProviderList{}) + return err +} + +// Patch applies the patch and returns the patched upstreamOIDCProvider. +func (c *FakeUpstreamOIDCProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(upstreamoidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..1950f156 --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type UpstreamOIDCProviderExpansion interface{} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 00000000..35b1deff --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,76 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + UpstreamOIDCProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.supervisor.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface { + return newUpstreamOIDCProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..9e459593 --- /dev/null +++ b/generated/1.17/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,178 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "time" + + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// UpstreamOIDCProvidersGetter has a method to return a UpstreamOIDCProviderInterface. +// A group's client should implement this interface. +type UpstreamOIDCProvidersGetter interface { + UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface +} + +// UpstreamOIDCProviderInterface has methods to work with UpstreamOIDCProvider resources. +type UpstreamOIDCProviderInterface interface { + Create(*v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error) + Update(*v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error) + UpdateStatus(*v1alpha1.UpstreamOIDCProvider) (*v1alpha1.UpstreamOIDCProvider, error) + Delete(name string, options *v1.DeleteOptions) error + DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error + Get(name string, options v1.GetOptions) (*v1alpha1.UpstreamOIDCProvider, error) + List(opts v1.ListOptions) (*v1alpha1.UpstreamOIDCProviderList, error) + Watch(opts v1.ListOptions) (watch.Interface, error) + Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) + UpstreamOIDCProviderExpansion +} + +// upstreamOIDCProviders implements UpstreamOIDCProviderInterface +type upstreamOIDCProviders struct { + client rest.Interface + ns string +} + +// newUpstreamOIDCProviders returns a UpstreamOIDCProviders +func newUpstreamOIDCProviders(c *IDPV1alpha1Client, namespace string) *upstreamOIDCProviders { + return &upstreamOIDCProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any. +func (c *upstreamOIDCProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors. +func (c *upstreamOIDCProviders) List(opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.UpstreamOIDCProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders. +func (c *upstreamOIDCProviders) Watch(opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch() +} + +// Create takes the representation of a upstreamOIDCProvider and creates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *upstreamOIDCProviders) Create(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Body(upstreamOIDCProvider). + Do(). + Into(result) + return +} + +// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *upstreamOIDCProviders) Update(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(upstreamOIDCProvider.Name). + Body(upstreamOIDCProvider). + Do(). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + +func (c *upstreamOIDCProviders) UpdateStatus(upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(upstreamOIDCProvider.Name). + SubResource("status"). + Body(upstreamOIDCProvider). + Do(). + Into(result) + return +} + +// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs. +func (c *upstreamOIDCProviders) Delete(name string, options *v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + Body(options). + Do(). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *upstreamOIDCProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + var timeout time.Duration + if listOptions.TimeoutSeconds != nil { + timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&listOptions, scheme.ParameterCodec). + Timeout(timeout). + Body(options). + Do(). + Error() +} + +// Patch applies the patch and returns the patched upstreamOIDCProvider. +func (c *upstreamOIDCProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + SubResource(subresources...). + Name(name). + Body(data). + Do(). + Into(result) + return +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/factory.go b/generated/1.17/client/supervisor/informers/externalversions/factory.go index 06a04297..52cf2252 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.17/client/supervisor/informers/externalversions/factory.go @@ -12,6 +12,7 @@ import ( versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned" config "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/config" + idp "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -160,8 +161,13 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Config() config.Interface + IDP() idp.Interface } func (f *sharedInformerFactory) Config() config.Interface { return config.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/generic.go b/generated/1.17/client/supervisor/informers/externalversions/generic.go index b26323a3..42e3e5a2 100644 --- a/generated/1.17/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.17/client/supervisor/informers/externalversions/generic.go @@ -9,6 +9,7 @@ import ( "fmt" v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -43,6 +44,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil + // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("upstreamoidcproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().UpstreamOIDCProviders().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.17/client/supervisor/informers/externalversions/idp/interface.go b/generated/1.17/client/supervisor/informers/externalversions/idp/interface.go new file mode 100644 index 00000000..e8589d8c --- /dev/null +++ b/generated/1.17/client/supervisor/informers/externalversions/idp/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1" + internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 00000000..99eda1f7 --- /dev/null +++ b/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer. + UpstreamOIDCProviders() UpstreamOIDCProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer. +func (v *version) UpstreamOIDCProviders() UpstreamOIDCProviderInformer { + return &upstreamOIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..461e8d4a --- /dev/null +++ b/generated/1.17/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,76 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.17/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.17/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.17/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// UpstreamOIDCProviderInformer provides access to a shared informer and lister for +// UpstreamOIDCProviders. +type UpstreamOIDCProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.UpstreamOIDCProviderLister +} + +type upstreamOIDCProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredUpstreamOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).List(options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).Watch(options) + }, + }, + &idpv1alpha1.UpstreamOIDCProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *upstreamOIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredUpstreamOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *upstreamOIDCProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.UpstreamOIDCProvider{}, f.defaultInformer) +} + +func (f *upstreamOIDCProviderInformer) Lister() v1alpha1.UpstreamOIDCProviderLister { + return v1alpha1.NewUpstreamOIDCProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.17/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.17/client/supervisor/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..5d290e01 --- /dev/null +++ b/generated/1.17/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// UpstreamOIDCProviderListerExpansion allows custom methods to be added to +// UpstreamOIDCProviderLister. +type UpstreamOIDCProviderListerExpansion interface{} + +// UpstreamOIDCProviderNamespaceListerExpansion allows custom methods to be added to +// UpstreamOIDCProviderNamespaceLister. +type UpstreamOIDCProviderNamespaceListerExpansion interface{} diff --git a/generated/1.17/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.17/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..26f20bcc --- /dev/null +++ b/generated/1.17/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,81 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.17/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// UpstreamOIDCProviderLister helps list UpstreamOIDCProviders. +type UpstreamOIDCProviderLister interface { + // List lists all UpstreamOIDCProviders in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) + // UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders. + UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister + UpstreamOIDCProviderListerExpansion +} + +// upstreamOIDCProviderLister implements the UpstreamOIDCProviderLister interface. +type upstreamOIDCProviderLister struct { + indexer cache.Indexer +} + +// NewUpstreamOIDCProviderLister returns a new UpstreamOIDCProviderLister. +func NewUpstreamOIDCProviderLister(indexer cache.Indexer) UpstreamOIDCProviderLister { + return &upstreamOIDCProviderLister{indexer: indexer} +} + +// List lists all UpstreamOIDCProviders in the indexer. +func (s *upstreamOIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider)) + }) + return ret, err +} + +// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders. +func (s *upstreamOIDCProviderLister) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister { + return upstreamOIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// UpstreamOIDCProviderNamespaceLister helps list and get UpstreamOIDCProviders. +type UpstreamOIDCProviderNamespaceLister interface { + // List lists all UpstreamOIDCProviders in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) + // Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) + UpstreamOIDCProviderNamespaceListerExpansion +} + +// upstreamOIDCProviderNamespaceLister implements the UpstreamOIDCProviderNamespaceLister +// interface. +type upstreamOIDCProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all UpstreamOIDCProviders in the indexer for a given namespace. +func (s upstreamOIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider)) + }) + return ret, err +} + +// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name. +func (s upstreamOIDCProviderNamespaceLister) Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("upstreamoidcprovider"), name) + } + return obj.(*v1alpha1.UpstreamOIDCProvider), nil +} diff --git a/generated/1.17/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml b/generated/1.17/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml new file mode 100644 index 00000000..780fe6fe --- /dev/null +++ b/generated/1.17/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml @@ -0,0 +1,205 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: upstreamoidcproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: UpstreamOIDCProvider + listKind: UpstreamOIDCProviderList + plural: upstreamoidcproviders + singular: upstreamoidcprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.issuer + name: Issuer + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: UpstreamOIDCProvider describes the configuration of an upstream + OpenID Connect identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + authorizationConfig: + description: AuthorizationConfig holds information about how to form + the OAuth2 authorization request parameters to be used with this + OIDC identity provider. + properties: + additionalScopes: + description: AdditionalScopes are the scopes in addition to "openid" + that will be requested as part of the authorization request + flow with an OIDC identity provider. By default only the "openid" + scope will be requested. + items: + type: string + type: array + type: object + claims: + description: Claims provides the names of token claims that will be + used when inspecting an identity from this OIDC identity provider. + properties: + groups: + description: Groups provides the name of the token claim that + will be used to ascertain the groups to which an identity belongs. + type: string + username: + description: Username provides the name of the token claim that + will be used to ascertain an identity's username. + type: string + type: object + client: + description: OIDCClient contains OIDC client information to be used + used with this OIDC identity provider. + properties: + secretName: + description: SecretName contains the name of a namespace-local + Secret object that provides the clientID and clientSecret for + an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" + with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + issuer: + description: Issuer is the issuer URL of this OIDC identity provider, + i.e., where to fetch /.well-known/openid-configuration. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration for discovery/JWKS requests to the + issuer. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - client + - issuer + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the UpstreamOIDCProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index c49b346f..a2a20313 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -8,6 +8,7 @@ - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] @@ -291,6 +292,166 @@ OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC +[id="{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1"] +=== idp.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"] +==== OIDCAuthorizationConfig + +OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclaims"] +==== OIDCClaims + +OIDCClaims provides a mapping from upstream claims into identities. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. +| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient contains information about an OIDC client (e.g., client ID and client secret). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for TLS parameters related to identity provider integration. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcprovider"] +==== UpstreamOIDCProvider + +UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderlist[$$UpstreamOIDCProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec"] +==== UpstreamOIDCProviderSpec + +Spec for configuring an OIDC identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for discovery/JWKS requests to the issuer. +| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider. +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclaims[$$OIDCClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-oidcclient[$$OIDCClient$$]__ | OIDCClient contains OIDC client information to be used used with this OIDC identity provider. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus"] +==== UpstreamOIDCProviderStatus + +Status of an OIDC identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __UpstreamOIDCProviderPhase__ | Phase summarizes the overall status of the UpstreamOIDCProvider. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-18-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] === login.concierge.pinniped.dev/v1alpha1 diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/doc.go b/generated/1.18/apis/supervisor/idp/v1alpha1/doc.go new file mode 100644 index 00000000..71f2737d --- /dev/null +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.supervisor.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. +package v1alpha1 diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/register.go b/generated/1.18/apis/supervisor/idp/v1alpha1/register.go new file mode 100644 index 00000000..67e549f9 --- /dev/null +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &UpstreamOIDCProvider{}, + &UpstreamOIDCProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/types_meta.go b/generated/1.18/apis/supervisor/idp/v1alpha1/types_meta.go new file mode 100644 index 00000000..e59976ff --- /dev/null +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.18/apis/supervisor/idp/v1alpha1/types_tls.go new file mode 100644 index 00000000..fa4db315 --- /dev/null +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_tls.go @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Configuration for TLS parameters related to identity provider integration. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go b/generated/1.18/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go new file mode 100644 index 00000000..ea12b063 --- /dev/null +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go @@ -0,0 +1,123 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type UpstreamOIDCProviderPhase string + +const ( + // PhasePending is the default phase for newly-created UpstreamOIDCProvider resources. + PhasePending UpstreamOIDCProviderPhase = "Pending" + + // PhaseReady is the phase for an UpstreamOIDCProvider resource in a healthy state. + PhaseReady UpstreamOIDCProviderPhase = "Ready" + + // PhaseError is the phase for an UpstreamOIDCProvider in an unhealthy state. + PhaseError UpstreamOIDCProviderPhase = "Error" +) + +// Status of an OIDC identity provider. +type UpstreamOIDCProviderStatus struct { + // Phase summarizes the overall status of the UpstreamOIDCProvider. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase UpstreamOIDCProviderPhase `json:"phase,omitempty"` + + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization +// request parameters. +type OIDCAuthorizationConfig struct { + // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization + // request flow with an OIDC identity provider. By default only the "openid" scope will be requested. + // +optional + AdditionalScopes []string `json:"additionalScopes"` +} + +// OIDCClaims provides a mapping from upstream claims into identities. +type OIDCClaims struct { + // Groups provides the name of the token claim that will be used to ascertain the groups to which + // an identity belongs. + // +optional + Groups string `json:"groups"` + + // Username provides the name of the token claim that will be used to ascertain an identity's + // username. + // +optional + Username string `json:"username"` +} + +// OIDCClient contains information about an OIDC client (e.g., client ID and client +// secret). +type OIDCClient struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + // struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys + // "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// Spec for configuring an OIDC identity provider. +type UpstreamOIDCProviderSpec struct { + // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + // /.well-known/openid-configuration. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Issuer string `json:"issuer"` + + // TLS configuration for discovery/JWKS requests to the issuer. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` + + // AuthorizationConfig holds information about how to form the OAuth2 authorization request + // parameters to be used with this OIDC identity provider. + // +optional + AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig"` + + // Claims provides the names of token claims that will be used when inspecting an identity from + // this OIDC identity provider. + // +optional + Claims OIDCClaims `json:"claims"` + + // OIDCClient contains OIDC client information to be used used with this OIDC identity + // provider. + Client OIDCClient `json:"client"` +} + +// UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type UpstreamOIDCProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec UpstreamOIDCProviderSpec `json:"spec"` + + // Status of the identity provider. + Status UpstreamOIDCProviderStatus `json:"status,omitempty"` +} + +// List of UpstreamOIDCProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type UpstreamOIDCProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []UpstreamOIDCProvider `json:"items"` +} diff --git a/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..9eeade4e --- /dev/null +++ b/generated/1.18/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,206 @@ +// +build !ignore_autogenerated + +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { + *out = *in + if in.AdditionalScopes != nil { + in, out := &in.AdditionalScopes, &out.AdditionalScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig. +func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { + if in == nil { + return nil + } + out := new(OIDCAuthorizationConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims. +func (in *OIDCClaims) DeepCopy() *OIDCClaims { + if in == nil { + return nil + } + out := new(OIDCClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProvider) DeepCopyInto(out *UpstreamOIDCProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProvider. +func (in *UpstreamOIDCProvider) DeepCopy() *UpstreamOIDCProvider { + if in == nil { + return nil + } + out := new(UpstreamOIDCProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *UpstreamOIDCProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderList) DeepCopyInto(out *UpstreamOIDCProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]UpstreamOIDCProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderList. +func (in *UpstreamOIDCProviderList) DeepCopy() *UpstreamOIDCProviderList { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *UpstreamOIDCProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderSpec) DeepCopyInto(out *UpstreamOIDCProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) + out.Claims = in.Claims + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderSpec. +func (in *UpstreamOIDCProviderSpec) DeepCopy() *UpstreamOIDCProviderSpec { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderStatus) DeepCopyInto(out *UpstreamOIDCProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderStatus. +func (in *UpstreamOIDCProviderStatus) DeepCopy() *UpstreamOIDCProviderStatus { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/clientset.go b/generated/1.18/client/supervisor/clientset/versioned/clientset.go index 83bcc35a..78c11ea9 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.18/client/supervisor/clientset/versioned/clientset.go @@ -9,6 +9,7 @@ import ( "fmt" configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -17,6 +18,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -24,6 +26,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -31,6 +34,11 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return c.configV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -56,6 +64,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -69,6 +81,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -78,6 +91,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go index dfbb64d7..c670713c 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -9,6 +9,8 @@ import ( clientset "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned" configv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" + idpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,3 +69,8 @@ var _ clientset.Interface = &Clientset{} func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} } + +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go index 7df91a92..a0bbbd33 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/fake/register.go @@ -7,6 +7,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,6 +20,7 @@ var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go index 670fb9be..e1c666da 100644 --- a/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.18/client/supervisor/clientset/versioned/scheme/register.go @@ -7,6 +7,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,6 +20,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 00000000..f75bf91f --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7879170d --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 00000000..cccf4d3c --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,27 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) UpstreamOIDCProviders(namespace string) v1alpha1.UpstreamOIDCProviderInterface { + return &FakeUpstreamOIDCProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go new file mode 100644 index 00000000..3d642676 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeUpstreamOIDCProviders implements UpstreamOIDCProviderInterface +type FakeUpstreamOIDCProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var upstreamoidcprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "upstreamoidcproviders"} + +var upstreamoidcprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "UpstreamOIDCProvider"} + +// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any. +func (c *FakeUpstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors. +func (c *FakeUpstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(upstreamoidcprovidersResource, upstreamoidcprovidersKind, c.ns, opts), &v1alpha1.UpstreamOIDCProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.UpstreamOIDCProviderList{ListMeta: obj.(*v1alpha1.UpstreamOIDCProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.UpstreamOIDCProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders. +func (c *FakeUpstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(upstreamoidcprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a upstreamOIDCProvider and creates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *FakeUpstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *FakeUpstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeUpstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(upstreamoidcprovidersResource, "status", c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs. +func (c *FakeUpstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeUpstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(upstreamoidcprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.UpstreamOIDCProviderList{}) + return err +} + +// Patch applies the patch and returns the patched upstreamOIDCProvider. +func (c *FakeUpstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(upstreamoidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..1950f156 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type UpstreamOIDCProviderExpansion interface{} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 00000000..477d45b6 --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,76 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + UpstreamOIDCProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.supervisor.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface { + return newUpstreamOIDCProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..1498d43c --- /dev/null +++ b/generated/1.18/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// UpstreamOIDCProvidersGetter has a method to return a UpstreamOIDCProviderInterface. +// A group's client should implement this interface. +type UpstreamOIDCProvidersGetter interface { + UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface +} + +// UpstreamOIDCProviderInterface has methods to work with UpstreamOIDCProvider resources. +type UpstreamOIDCProviderInterface interface { + Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (*v1alpha1.UpstreamOIDCProvider, error) + Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) + UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.UpstreamOIDCProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.UpstreamOIDCProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) + UpstreamOIDCProviderExpansion +} + +// upstreamOIDCProviders implements UpstreamOIDCProviderInterface +type upstreamOIDCProviders struct { + client rest.Interface + ns string +} + +// newUpstreamOIDCProviders returns a UpstreamOIDCProviders +func newUpstreamOIDCProviders(c *IDPV1alpha1Client, namespace string) *upstreamOIDCProviders { + return &upstreamOIDCProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any. +func (c *upstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors. +func (c *upstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.UpstreamOIDCProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders. +func (c *upstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a upstreamOIDCProvider and creates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *upstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(upstreamOIDCProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *upstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(upstreamOIDCProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(upstreamOIDCProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *upstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(upstreamOIDCProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(upstreamOIDCProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs. +func (c *upstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *upstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched upstreamOIDCProvider. +func (c *upstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/factory.go b/generated/1.18/client/supervisor/informers/externalversions/factory.go index e4fd0c01..5c5b5718 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.18/client/supervisor/informers/externalversions/factory.go @@ -12,6 +12,7 @@ import ( versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned" config "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/config" + idp "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -160,8 +161,13 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Config() config.Interface + IDP() idp.Interface } func (f *sharedInformerFactory) Config() config.Interface { return config.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/generic.go b/generated/1.18/client/supervisor/informers/externalversions/generic.go index d9cb0928..4c976b43 100644 --- a/generated/1.18/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.18/client/supervisor/informers/externalversions/generic.go @@ -9,6 +9,7 @@ import ( "fmt" v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -43,6 +44,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil + // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("upstreamoidcproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().UpstreamOIDCProviders().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.18/client/supervisor/informers/externalversions/idp/interface.go b/generated/1.18/client/supervisor/informers/externalversions/idp/interface.go new file mode 100644 index 00000000..46e643b4 --- /dev/null +++ b/generated/1.18/client/supervisor/informers/externalversions/idp/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1" + internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 00000000..2cbabef9 --- /dev/null +++ b/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer. + UpstreamOIDCProviders() UpstreamOIDCProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer. +func (v *version) UpstreamOIDCProviders() UpstreamOIDCProviderInformer { + return &upstreamOIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..6ccbeaf0 --- /dev/null +++ b/generated/1.18/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.18/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.18/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.18/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// UpstreamOIDCProviderInformer provides access to a shared informer and lister for +// UpstreamOIDCProviders. +type UpstreamOIDCProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.UpstreamOIDCProviderLister +} + +type upstreamOIDCProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredUpstreamOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.UpstreamOIDCProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *upstreamOIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredUpstreamOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *upstreamOIDCProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.UpstreamOIDCProvider{}, f.defaultInformer) +} + +func (f *upstreamOIDCProviderInformer) Lister() v1alpha1.UpstreamOIDCProviderLister { + return v1alpha1.NewUpstreamOIDCProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.18/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.18/client/supervisor/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..5d290e01 --- /dev/null +++ b/generated/1.18/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// UpstreamOIDCProviderListerExpansion allows custom methods to be added to +// UpstreamOIDCProviderLister. +type UpstreamOIDCProviderListerExpansion interface{} + +// UpstreamOIDCProviderNamespaceListerExpansion allows custom methods to be added to +// UpstreamOIDCProviderNamespaceLister. +type UpstreamOIDCProviderNamespaceListerExpansion interface{} diff --git a/generated/1.18/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.18/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..770e3444 --- /dev/null +++ b/generated/1.18/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,81 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.18/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// UpstreamOIDCProviderLister helps list UpstreamOIDCProviders. +type UpstreamOIDCProviderLister interface { + // List lists all UpstreamOIDCProviders in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) + // UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders. + UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister + UpstreamOIDCProviderListerExpansion +} + +// upstreamOIDCProviderLister implements the UpstreamOIDCProviderLister interface. +type upstreamOIDCProviderLister struct { + indexer cache.Indexer +} + +// NewUpstreamOIDCProviderLister returns a new UpstreamOIDCProviderLister. +func NewUpstreamOIDCProviderLister(indexer cache.Indexer) UpstreamOIDCProviderLister { + return &upstreamOIDCProviderLister{indexer: indexer} +} + +// List lists all UpstreamOIDCProviders in the indexer. +func (s *upstreamOIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider)) + }) + return ret, err +} + +// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders. +func (s *upstreamOIDCProviderLister) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister { + return upstreamOIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// UpstreamOIDCProviderNamespaceLister helps list and get UpstreamOIDCProviders. +type UpstreamOIDCProviderNamespaceLister interface { + // List lists all UpstreamOIDCProviders in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) + // Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) + UpstreamOIDCProviderNamespaceListerExpansion +} + +// upstreamOIDCProviderNamespaceLister implements the UpstreamOIDCProviderNamespaceLister +// interface. +type upstreamOIDCProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all UpstreamOIDCProviders in the indexer for a given namespace. +func (s upstreamOIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider)) + }) + return ret, err +} + +// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name. +func (s upstreamOIDCProviderNamespaceLister) Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("upstreamoidcprovider"), name) + } + return obj.(*v1alpha1.UpstreamOIDCProvider), nil +} diff --git a/generated/1.18/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml b/generated/1.18/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml new file mode 100644 index 00000000..780fe6fe --- /dev/null +++ b/generated/1.18/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml @@ -0,0 +1,205 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: upstreamoidcproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: UpstreamOIDCProvider + listKind: UpstreamOIDCProviderList + plural: upstreamoidcproviders + singular: upstreamoidcprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.issuer + name: Issuer + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: UpstreamOIDCProvider describes the configuration of an upstream + OpenID Connect identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + authorizationConfig: + description: AuthorizationConfig holds information about how to form + the OAuth2 authorization request parameters to be used with this + OIDC identity provider. + properties: + additionalScopes: + description: AdditionalScopes are the scopes in addition to "openid" + that will be requested as part of the authorization request + flow with an OIDC identity provider. By default only the "openid" + scope will be requested. + items: + type: string + type: array + type: object + claims: + description: Claims provides the names of token claims that will be + used when inspecting an identity from this OIDC identity provider. + properties: + groups: + description: Groups provides the name of the token claim that + will be used to ascertain the groups to which an identity belongs. + type: string + username: + description: Username provides the name of the token claim that + will be used to ascertain an identity's username. + type: string + type: object + client: + description: OIDCClient contains OIDC client information to be used + used with this OIDC identity provider. + properties: + secretName: + description: SecretName contains the name of a namespace-local + Secret object that provides the clientID and clientSecret for + an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" + with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + issuer: + description: Issuer is the issuer URL of this OIDC identity provider, + i.e., where to fetch /.well-known/openid-configuration. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration for discovery/JWKS requests to the + issuer. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - client + - issuer + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the UpstreamOIDCProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 1920ebab..e36be991 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -8,6 +8,7 @@ - xref:{anchor_prefix}-authentication-concierge-pinniped-dev-v1alpha1[$$authentication.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-concierge-pinniped-dev-v1alpha1[$$config.concierge.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-config-supervisor-pinniped-dev-v1alpha1[$$config.supervisor.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1[$$idp.supervisor.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1[$$login.concierge.pinniped.dev/v1alpha1$$] @@ -291,6 +292,166 @@ OIDCProviderTLSSpec is a struct that describes the TLS configuration for an OIDC +[id="{anchor_prefix}-idp-supervisor-pinniped-dev-v1alpha1"] +=== idp.supervisor.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig"] +==== OIDCAuthorizationConfig + +OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`additionalScopes`* __string array__ | AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization request flow with an OIDC identity provider. By default only the "openid" scope will be requested. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclaims"] +==== OIDCClaims + +OIDCClaims provides a mapping from upstream claims into identities. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`groups`* __string__ | Groups provides the name of the token claim that will be used to ascertain the groups to which an identity belongs. +| *`username`* __string__ | Username provides the name of the token claim that will be used to ascertain an identity's username. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclient"] +==== OIDCClient + +OIDCClient contains information about an OIDC client (e.g., client ID and client secret). + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`secretName`* __string__ | SecretName contains the name of a namespace-local Secret object that provides the clientID and clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys "clientID" and "clientSecret". +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for TLS parameters related to identity provider integration. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcprovider"] +==== UpstreamOIDCProvider + +UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderlist[$$UpstreamOIDCProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec[$$UpstreamOIDCProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus[$$UpstreamOIDCProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderspec"] +==== UpstreamOIDCProviderSpec + +Spec for configuring an OIDC identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`issuer`* __string__ | Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch /.well-known/openid-configuration. +| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for discovery/JWKS requests to the issuer. +| *`authorizationConfig`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcauthorizationconfig[$$OIDCAuthorizationConfig$$]__ | AuthorizationConfig holds information about how to form the OAuth2 authorization request parameters to be used with this OIDC identity provider. +| *`claims`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclaims[$$OIDCClaims$$]__ | Claims provides the names of token claims that will be used when inspecting an identity from this OIDC identity provider. +| *`client`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-oidcclient[$$OIDCClient$$]__ | OIDCClient contains OIDC client information to be used used with this OIDC identity provider. +|=== + + +[id="{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcproviderstatus"] +==== UpstreamOIDCProviderStatus + +Status of an OIDC identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-upstreamoidcprovider[$$UpstreamOIDCProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`phase`* __UpstreamOIDCProviderPhase__ | Phase summarizes the overall status of the UpstreamOIDCProvider. +| *`conditions`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-19-apis-supervisor-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-login-concierge-pinniped-dev-v1alpha1"] === login.concierge.pinniped.dev/v1alpha1 diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/doc.go b/generated/1.19/apis/supervisor/idp/v1alpha1/doc.go new file mode 100644 index 00000000..71f2737d --- /dev/null +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/doc.go @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.supervisor.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API. +package v1alpha1 diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/register.go b/generated/1.19/apis/supervisor/idp/v1alpha1/register.go new file mode 100644 index 00000000..67e549f9 --- /dev/null +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/register.go @@ -0,0 +1,43 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.supervisor.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &UpstreamOIDCProvider{}, + &UpstreamOIDCProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/types_meta.go b/generated/1.19/apis/supervisor/idp/v1alpha1/types_meta.go new file mode 100644 index 00000000..e59976ff --- /dev/null +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_meta.go @@ -0,0 +1,75 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.19/apis/supervisor/idp/v1alpha1/types_tls.go new file mode 100644 index 00000000..fa4db315 --- /dev/null +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_tls.go @@ -0,0 +1,11 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +// Configuration for TLS parameters related to identity provider integration. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go b/generated/1.19/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go new file mode 100644 index 00000000..ea12b063 --- /dev/null +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/types_upstreamoidcprovider.go @@ -0,0 +1,123 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type UpstreamOIDCProviderPhase string + +const ( + // PhasePending is the default phase for newly-created UpstreamOIDCProvider resources. + PhasePending UpstreamOIDCProviderPhase = "Pending" + + // PhaseReady is the phase for an UpstreamOIDCProvider resource in a healthy state. + PhaseReady UpstreamOIDCProviderPhase = "Ready" + + // PhaseError is the phase for an UpstreamOIDCProvider in an unhealthy state. + PhaseError UpstreamOIDCProviderPhase = "Error" +) + +// Status of an OIDC identity provider. +type UpstreamOIDCProviderStatus struct { + // Phase summarizes the overall status of the UpstreamOIDCProvider. + // +kubebuilder:default=Pending + // +kubebuilder:validation:Enum=Pending;Ready;Error + Phase UpstreamOIDCProviderPhase `json:"phase,omitempty"` + + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization +// request parameters. +type OIDCAuthorizationConfig struct { + // AdditionalScopes are the scopes in addition to "openid" that will be requested as part of the authorization + // request flow with an OIDC identity provider. By default only the "openid" scope will be requested. + // +optional + AdditionalScopes []string `json:"additionalScopes"` +} + +// OIDCClaims provides a mapping from upstream claims into identities. +type OIDCClaims struct { + // Groups provides the name of the token claim that will be used to ascertain the groups to which + // an identity belongs. + // +optional + Groups string `json:"groups"` + + // Username provides the name of the token claim that will be used to ascertain an identity's + // username. + // +optional + Username string `json:"username"` +} + +// OIDCClient contains information about an OIDC client (e.g., client ID and client +// secret). +type OIDCClient struct { + // SecretName contains the name of a namespace-local Secret object that provides the clientID and + // clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient + // struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" with keys + // "clientID" and "clientSecret". + SecretName string `json:"secretName"` +} + +// Spec for configuring an OIDC identity provider. +type UpstreamOIDCProviderSpec struct { + // Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch + // /.well-known/openid-configuration. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Issuer string `json:"issuer"` + + // TLS configuration for discovery/JWKS requests to the issuer. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` + + // AuthorizationConfig holds information about how to form the OAuth2 authorization request + // parameters to be used with this OIDC identity provider. + // +optional + AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig"` + + // Claims provides the names of token claims that will be used when inspecting an identity from + // this OIDC identity provider. + // +optional + Claims OIDCClaims `json:"claims"` + + // OIDCClient contains OIDC client information to be used used with this OIDC identity + // provider. + Client OIDCClient `json:"client"` +} + +// UpstreamOIDCProvider describes the configuration of an upstream OpenID Connect identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +// +kubebuilder:subresource:status +type UpstreamOIDCProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec UpstreamOIDCProviderSpec `json:"spec"` + + // Status of the identity provider. + Status UpstreamOIDCProviderStatus `json:"status,omitempty"` +} + +// List of UpstreamOIDCProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type UpstreamOIDCProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []UpstreamOIDCProvider `json:"items"` +} diff --git a/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 00000000..9eeade4e --- /dev/null +++ b/generated/1.19/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,206 @@ +// +build !ignore_autogenerated + +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig) { + *out = *in + if in.AdditionalScopes != nil { + in, out := &in.AdditionalScopes, &out.AdditionalScopes + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig. +func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig { + if in == nil { + return nil + } + out := new(OIDCAuthorizationConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims. +func (in *OIDCClaims) DeepCopy() *OIDCClaims { + if in == nil { + return nil + } + out := new(OIDCClaims) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OIDCClient) DeepCopyInto(out *OIDCClient) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient. +func (in *OIDCClient) DeepCopy() *OIDCClient { + if in == nil { + return nil + } + out := new(OIDCClient) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProvider) DeepCopyInto(out *UpstreamOIDCProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProvider. +func (in *UpstreamOIDCProvider) DeepCopy() *UpstreamOIDCProvider { + if in == nil { + return nil + } + out := new(UpstreamOIDCProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *UpstreamOIDCProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderList) DeepCopyInto(out *UpstreamOIDCProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]UpstreamOIDCProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderList. +func (in *UpstreamOIDCProviderList) DeepCopy() *UpstreamOIDCProviderList { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *UpstreamOIDCProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderSpec) DeepCopyInto(out *UpstreamOIDCProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) + out.Claims = in.Claims + out.Client = in.Client + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderSpec. +func (in *UpstreamOIDCProviderSpec) DeepCopy() *UpstreamOIDCProviderSpec { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UpstreamOIDCProviderStatus) DeepCopyInto(out *UpstreamOIDCProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamOIDCProviderStatus. +func (in *UpstreamOIDCProviderStatus) DeepCopy() *UpstreamOIDCProviderStatus { + if in == nil { + return nil + } + out := new(UpstreamOIDCProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/clientset.go b/generated/1.19/client/supervisor/clientset/versioned/clientset.go index 3e61b5c0..e09d4003 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/clientset.go +++ b/generated/1.19/client/supervisor/clientset/versioned/clientset.go @@ -9,6 +9,7 @@ import ( "fmt" configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" flowcontrol "k8s.io/client-go/util/flowcontrol" @@ -17,6 +18,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface } // Clientset contains the clients for groups. Each group has exactly one @@ -24,6 +26,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient configV1alpha1 *configv1alpha1.ConfigV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client } // ConfigV1alpha1 retrieves the ConfigV1alpha1Client @@ -31,6 +34,11 @@ func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return c.configV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // Discovery retrieves the DiscoveryClient func (c *Clientset) Discovery() discovery.DiscoveryInterface { if c == nil { @@ -56,6 +64,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy) if err != nil { @@ -69,6 +81,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) return &cs @@ -78,6 +91,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.configV1alpha1 = configv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) return &cs diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go index fa0da0c8..5484600d 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/clientset_generated.go @@ -9,6 +9,8 @@ import ( clientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" configv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1" fakeconfigv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/config/v1alpha1/fake" + idpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/watch" "k8s.io/client-go/discovery" @@ -67,3 +69,8 @@ var _ clientset.Interface = &Clientset{} func (c *Clientset) ConfigV1alpha1() configv1alpha1.ConfigV1alpha1Interface { return &fakeconfigv1alpha1.FakeConfigV1alpha1{Fake: &c.Fake} } + +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go index dea28662..163bd03e 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/fake/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/fake/register.go @@ -7,6 +7,7 @@ package fake import ( configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,6 +20,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go index 1cfa796a..3f47db38 100644 --- a/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go +++ b/generated/1.19/client/supervisor/clientset/versioned/scheme/register.go @@ -7,6 +7,7 @@ package scheme import ( configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" schema "k8s.io/apimachinery/pkg/runtime/schema" @@ -19,6 +20,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ configv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, } // AddToScheme adds all types of this clientset into the given scheme. This allows composition diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 00000000..f75bf91f --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 00000000..7879170d --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,7 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 00000000..57199da7 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,27 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) UpstreamOIDCProviders(namespace string) v1alpha1.UpstreamOIDCProviderInterface { + return &FakeUpstreamOIDCProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go new file mode 100644 index 00000000..d26f3fb3 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/fake/fake_upstreamoidcprovider.go @@ -0,0 +1,129 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeUpstreamOIDCProviders implements UpstreamOIDCProviderInterface +type FakeUpstreamOIDCProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var upstreamoidcprovidersResource = schema.GroupVersionResource{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Resource: "upstreamoidcproviders"} + +var upstreamoidcprovidersKind = schema.GroupVersionKind{Group: "idp.supervisor.pinniped.dev", Version: "v1alpha1", Kind: "UpstreamOIDCProvider"} + +// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any. +func (c *FakeUpstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors. +func (c *FakeUpstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(upstreamoidcprovidersResource, upstreamoidcprovidersKind, c.ns, opts), &v1alpha1.UpstreamOIDCProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.UpstreamOIDCProviderList{ListMeta: obj.(*v1alpha1.UpstreamOIDCProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.UpstreamOIDCProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders. +func (c *FakeUpstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(upstreamoidcprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a upstreamOIDCProvider and creates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *FakeUpstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *FakeUpstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(upstreamoidcprovidersResource, c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeUpstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(upstreamoidcprovidersResource, "status", c.ns, upstreamOIDCProvider), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} + +// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs. +func (c *FakeUpstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(upstreamoidcprovidersResource, c.ns, name), &v1alpha1.UpstreamOIDCProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeUpstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(upstreamoidcprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.UpstreamOIDCProviderList{}) + return err +} + +// Patch applies the patch and returns the patched upstreamOIDCProvider. +func (c *FakeUpstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(upstreamoidcprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.UpstreamOIDCProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.UpstreamOIDCProvider), err +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 00000000..1950f156 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,8 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type UpstreamOIDCProviderExpansion interface{} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 00000000..69a54302 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,76 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + UpstreamOIDCProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.supervisor.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface { + return newUpstreamOIDCProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..19f4f829 --- /dev/null +++ b/generated/1.19/client/supervisor/clientset/versioned/typed/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,182 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + scheme "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// UpstreamOIDCProvidersGetter has a method to return a UpstreamOIDCProviderInterface. +// A group's client should implement this interface. +type UpstreamOIDCProvidersGetter interface { + UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderInterface +} + +// UpstreamOIDCProviderInterface has methods to work with UpstreamOIDCProvider resources. +type UpstreamOIDCProviderInterface interface { + Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (*v1alpha1.UpstreamOIDCProvider, error) + Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) + UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (*v1alpha1.UpstreamOIDCProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.UpstreamOIDCProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.UpstreamOIDCProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) + UpstreamOIDCProviderExpansion +} + +// upstreamOIDCProviders implements UpstreamOIDCProviderInterface +type upstreamOIDCProviders struct { + client rest.Interface + ns string +} + +// newUpstreamOIDCProviders returns a UpstreamOIDCProviders +func newUpstreamOIDCProviders(c *IDPV1alpha1Client, namespace string) *upstreamOIDCProviders { + return &upstreamOIDCProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the upstreamOIDCProvider, and returns the corresponding upstreamOIDCProvider object, and an error if there is any. +func (c *upstreamOIDCProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of UpstreamOIDCProviders that match those selectors. +func (c *upstreamOIDCProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.UpstreamOIDCProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.UpstreamOIDCProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested upstreamOIDCProviders. +func (c *upstreamOIDCProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a upstreamOIDCProvider and creates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *upstreamOIDCProviders) Create(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.CreateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(upstreamOIDCProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a upstreamOIDCProvider and updates it. Returns the server's representation of the upstreamOIDCProvider, and an error, if there is any. +func (c *upstreamOIDCProviders) Update(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(upstreamOIDCProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(upstreamOIDCProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *upstreamOIDCProviders) UpdateStatus(ctx context.Context, upstreamOIDCProvider *v1alpha1.UpstreamOIDCProvider, opts v1.UpdateOptions) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(upstreamOIDCProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(upstreamOIDCProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the upstreamOIDCProvider and deletes it. Returns an error if one occurs. +func (c *upstreamOIDCProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *upstreamOIDCProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched upstreamOIDCProvider. +func (c *upstreamOIDCProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.UpstreamOIDCProvider, err error) { + result = &v1alpha1.UpstreamOIDCProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("upstreamoidcproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/factory.go b/generated/1.19/client/supervisor/informers/externalversions/factory.go index 932e2db9..45a3104c 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/factory.go +++ b/generated/1.19/client/supervisor/informers/externalversions/factory.go @@ -12,6 +12,7 @@ import ( versioned "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" config "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config" + idp "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp" internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -160,8 +161,13 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Config() config.Interface + IDP() idp.Interface } func (f *sharedInformerFactory) Config() config.Interface { return config.New(f, f.namespace, f.tweakListOptions) } + +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/generic.go b/generated/1.19/client/supervisor/informers/externalversions/generic.go index c4479bb2..8d6bf6d3 100644 --- a/generated/1.19/client/supervisor/informers/externalversions/generic.go +++ b/generated/1.19/client/supervisor/informers/externalversions/generic.go @@ -9,6 +9,7 @@ import ( "fmt" v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1" + idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" ) @@ -43,6 +44,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("oidcproviders"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1alpha1().OIDCProviders().Informer()}, nil + // Group=idp.supervisor.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("upstreamoidcproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().UpstreamOIDCProviders().Informer()}, nil + } return nil, fmt.Errorf("no informer found for %v", resource) diff --git a/generated/1.19/client/supervisor/informers/externalversions/idp/interface.go b/generated/1.19/client/supervisor/informers/externalversions/idp/interface.go new file mode 100644 index 00000000..ac945c8e --- /dev/null +++ b/generated/1.19/client/supervisor/informers/externalversions/idp/interface.go @@ -0,0 +1,33 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1" + internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 00000000..0d67191a --- /dev/null +++ b/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,32 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer. + UpstreamOIDCProviders() UpstreamOIDCProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// UpstreamOIDCProviders returns a UpstreamOIDCProviderInformer. +func (v *version) UpstreamOIDCProviders() UpstreamOIDCProviderInformer { + return &upstreamOIDCProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..6799fa8b --- /dev/null +++ b/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,77 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + versioned "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" + internalinterfaces "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/internalinterfaces" + v1alpha1 "go.pinniped.dev/generated/1.19/client/supervisor/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// UpstreamOIDCProviderInformer provides access to a shared informer and lister for +// UpstreamOIDCProviders. +type UpstreamOIDCProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.UpstreamOIDCProviderLister +} + +type upstreamOIDCProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredUpstreamOIDCProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredUpstreamOIDCProviderInformer constructs a new informer for UpstreamOIDCProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredUpstreamOIDCProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().UpstreamOIDCProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.UpstreamOIDCProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *upstreamOIDCProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredUpstreamOIDCProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *upstreamOIDCProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.UpstreamOIDCProvider{}, f.defaultInformer) +} + +func (f *upstreamOIDCProviderInformer) Lister() v1alpha1.UpstreamOIDCProviderLister { + return v1alpha1.NewUpstreamOIDCProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.19/client/supervisor/listers/idp/v1alpha1/expansion_generated.go b/generated/1.19/client/supervisor/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 00000000..5d290e01 --- /dev/null +++ b/generated/1.19/client/supervisor/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,14 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// UpstreamOIDCProviderListerExpansion allows custom methods to be added to +// UpstreamOIDCProviderLister. +type UpstreamOIDCProviderListerExpansion interface{} + +// UpstreamOIDCProviderNamespaceListerExpansion allows custom methods to be added to +// UpstreamOIDCProviderNamespaceLister. +type UpstreamOIDCProviderNamespaceListerExpansion interface{} diff --git a/generated/1.19/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go b/generated/1.19/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go new file mode 100644 index 00000000..7bd60666 --- /dev/null +++ b/generated/1.19/client/supervisor/listers/idp/v1alpha1/upstreamoidcprovider.go @@ -0,0 +1,86 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// UpstreamOIDCProviderLister helps list UpstreamOIDCProviders. +// All objects returned here must be treated as read-only. +type UpstreamOIDCProviderLister interface { + // List lists all UpstreamOIDCProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) + // UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders. + UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister + UpstreamOIDCProviderListerExpansion +} + +// upstreamOIDCProviderLister implements the UpstreamOIDCProviderLister interface. +type upstreamOIDCProviderLister struct { + indexer cache.Indexer +} + +// NewUpstreamOIDCProviderLister returns a new UpstreamOIDCProviderLister. +func NewUpstreamOIDCProviderLister(indexer cache.Indexer) UpstreamOIDCProviderLister { + return &upstreamOIDCProviderLister{indexer: indexer} +} + +// List lists all UpstreamOIDCProviders in the indexer. +func (s *upstreamOIDCProviderLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider)) + }) + return ret, err +} + +// UpstreamOIDCProviders returns an object that can list and get UpstreamOIDCProviders. +func (s *upstreamOIDCProviderLister) UpstreamOIDCProviders(namespace string) UpstreamOIDCProviderNamespaceLister { + return upstreamOIDCProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// UpstreamOIDCProviderNamespaceLister helps list and get UpstreamOIDCProviders. +// All objects returned here must be treated as read-only. +type UpstreamOIDCProviderNamespaceLister interface { + // List lists all UpstreamOIDCProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) + // Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) + UpstreamOIDCProviderNamespaceListerExpansion +} + +// upstreamOIDCProviderNamespaceLister implements the UpstreamOIDCProviderNamespaceLister +// interface. +type upstreamOIDCProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all UpstreamOIDCProviders in the indexer for a given namespace. +func (s upstreamOIDCProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.UpstreamOIDCProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.UpstreamOIDCProvider)) + }) + return ret, err +} + +// Get retrieves the UpstreamOIDCProvider from the indexer for a given namespace and name. +func (s upstreamOIDCProviderNamespaceLister) Get(name string) (*v1alpha1.UpstreamOIDCProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("upstreamoidcprovider"), name) + } + return obj.(*v1alpha1.UpstreamOIDCProvider), nil +} diff --git a/generated/1.19/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml b/generated/1.19/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml new file mode 100644 index 00000000..780fe6fe --- /dev/null +++ b/generated/1.19/crds/idp.supervisor.pinniped.dev_upstreamoidcproviders.yaml @@ -0,0 +1,205 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: upstreamoidcproviders.idp.supervisor.pinniped.dev +spec: + group: idp.supervisor.pinniped.dev + names: + categories: + - pinniped + - pinniped-idp + - pinniped-idps + kind: UpstreamOIDCProvider + listKind: UpstreamOIDCProviderList + plural: upstreamoidcproviders + singular: upstreamoidcprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.issuer + name: Issuer + type: string + - jsonPath: .status.phase + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: UpstreamOIDCProvider describes the configuration of an upstream + OpenID Connect identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + authorizationConfig: + description: AuthorizationConfig holds information about how to form + the OAuth2 authorization request parameters to be used with this + OIDC identity provider. + properties: + additionalScopes: + description: AdditionalScopes are the scopes in addition to "openid" + that will be requested as part of the authorization request + flow with an OIDC identity provider. By default only the "openid" + scope will be requested. + items: + type: string + type: array + type: object + claims: + description: Claims provides the names of token claims that will be + used when inspecting an identity from this OIDC identity provider. + properties: + groups: + description: Groups provides the name of the token claim that + will be used to ascertain the groups to which an identity belongs. + type: string + username: + description: Username provides the name of the token claim that + will be used to ascertain an identity's username. + type: string + type: object + client: + description: OIDCClient contains OIDC client information to be used + used with this OIDC identity provider. + properties: + secretName: + description: SecretName contains the name of a namespace-local + Secret object that provides the clientID and clientSecret for + an OIDC client. If only the SecretName is specified in an OIDCClient + struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc" + with keys "clientID" and "clientSecret". + type: string + required: + - secretName + type: object + issuer: + description: Issuer is the issuer URL of this OIDC identity provider, + i.e., where to fetch /.well-known/openid-configuration. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration for discovery/JWKS requests to the + issuer. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - client + - issuer + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + phase: + default: Pending + description: Phase summarizes the overall status of the UpstreamOIDCProvider. + enum: + - Pending + - Ready + - Error + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/hack/lib/tilt/Tiltfile b/hack/lib/tilt/Tiltfile index 9358451d..cc4d44d5 100644 --- a/hack/lib/tilt/Tiltfile +++ b/hack/lib/tilt/Tiltfile @@ -113,6 +113,7 @@ k8s_resource( objects=[ # these are the objects that would otherwise appear in the "uncategorized" tab in the tilt UI 'oidcproviders.config.supervisor.pinniped.dev:customresourcedefinition', + 'upstreamoidcproviders.idp.supervisor.pinniped.dev:customresourcedefinition', 'pinniped-supervisor-static-config:configmap', 'supervisor:namespace', 'pinniped-supervisor:role', diff --git a/hack/lib/tilt/supervisor.Dockerfile b/hack/lib/tilt/supervisor.Dockerfile index c47e2f23..468749ad 100644 --- a/hack/lib/tilt/supervisor.Dockerfile +++ b/hack/lib/tilt/supervisor.Dockerfile @@ -4,6 +4,8 @@ # Use a runtime image based on Debian slim FROM debian:10.6-slim +RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/* + # Copy the binary which was built outside the container. COPY build/pinniped-supervisor /usr/local/bin/pinniped-supervisor diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh index fe1ab3c9..d4a103ac 100755 --- a/hack/lib/update-codegen.sh +++ b/hack/lib/update-codegen.sh @@ -112,7 +112,7 @@ echo "generating API-related code for our public API groups..." deepcopy \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1 concierge/config:v1alpha1 concierge/authentication:v1alpha1 concierge/login:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-api > |" ) @@ -148,7 +148,7 @@ echo "generating client code for our public API groups..." client,lister,informer \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client/supervisor" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "supervisor/config:v1alpha1" \ + "supervisor/config:v1alpha1 supervisor/idp:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-client > |" ) @@ -168,6 +168,7 @@ crd-ref-docs \ # Generate CRD YAML (cd apis && controller-gen paths=./supervisor/config/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds && + controller-gen paths=./supervisor/idp/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds && controller-gen paths=./concierge/config/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds && controller-gen paths=./concierge/authentication/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds ) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index d3d7cb24..89b7f2f8 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -265,6 +265,11 @@ if ! tilt_mode; then popd >/dev/null fi +# +# Download the test CA bundle that was generated in the Dex pod. +# +test_ca_bundle_pem="$(kubectl exec -n dex deployment/dex -- cat /var/certs/ca.pem)" + # # Create the environment file # @@ -286,7 +291,9 @@ export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name} export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}' export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345" export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344" -export PINNIPED_TEST_CLI_OIDC_ISSUER=http://127.0.0.1:12346/dex +export PINNIPED_TEST_PROXY=http://127.0.0.1:12346 +export PINNIPED_TEST_CLI_OIDC_ISSUER=https://dex.dex.svc.cluster.local/dex +export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}" export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli export PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT=48095 export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com diff --git a/internal/certauthority/certauthority.go b/internal/certauthority/certauthority.go index ba3e6492..13636db4 100644 --- a/internal/certauthority/certauthority.go +++ b/internal/certauthority/certauthority.go @@ -27,7 +27,7 @@ import ( // This could certainly be made configurable by an installer of pinniped, but we // will see if we can save adding a configuration knob with a reasonable default // here. -const certBackdate = 5 * time.Minute +const certBackdate = 10 * time.Second type env struct { // secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests). diff --git a/internal/certauthority/certauthority_test.go b/internal/certauthority/certauthority_test.go index f2dc5b33..10e74743 100644 --- a/internal/certauthority/certauthority_test.go +++ b/internal/certauthority/certauthority_test.go @@ -94,7 +94,7 @@ func TestNew(t *testing.T) { caCert, err := x509.ParseCertificate(got.caCertBytes) require.NoError(t, err) require.Equal(t, "Test CA", caCert.Subject.CommonName) - require.WithinDuration(t, now.Add(-5*time.Minute), caCert.NotBefore, 10*time.Second) + require.WithinDuration(t, now.Add(-10*time.Second), caCert.NotBefore, 10*time.Second) require.WithinDuration(t, now.Add(time.Minute), caCert.NotAfter, 10*time.Second) } @@ -149,7 +149,7 @@ func TestNewInternal(t *testing.T) { }, wantCommonName: "Test CA", wantNotAfter: now.Add(time.Minute), - wantNotBefore: now.Add(-5 * time.Minute), + wantNotBefore: now.Add(-10 * time.Second), }, } for _, tt := range tests { diff --git a/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher.go b/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher.go new file mode 100644 index 00000000..bc3db3bf --- /dev/null +++ b/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher.go @@ -0,0 +1,396 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +// Package upstreamwatcher implements a controller that watches UpstreamOIDCProvider objects. +package upstreamwatcher + +import ( + "context" + "crypto/tls" + "crypto/x509" + "encoding/base64" + "fmt" + "net/http" + "net/url" + "sort" + "time" + + "github.com/coreos/go-oidc" + "github.com/go-logr/logr" + "k8s.io/apimachinery/pkg/api/equality" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/util/cache" + corev1informers "k8s.io/client-go/informers/core/v1" + + "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned" + idpinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/idp/v1alpha1" + "go.pinniped.dev/internal/constable" + pinnipedcontroller "go.pinniped.dev/internal/controller" + "go.pinniped.dev/internal/controllerlib" + "go.pinniped.dev/internal/oidc/provider" +) + +const ( + // Setup for the name of our controller in logs. + controllerName = "upstream-observer" + + // Constants related to the client credentials Secret. + oidcClientSecretType = "secrets.pinniped.dev/oidc-client" + clientIDDataKey = "clientID" + clientSecretDataKey = "clientSecret" + + // Constants related to the OIDC provider discovery cache. These do not affect the cache of JWKS. + validatorCacheTTL = 15 * time.Minute + + // Constants related to conditions. + typeClientCredsValid = "ClientCredentialsValid" + typeOIDCDiscoverySucceeded = "OIDCDiscoverySucceeded" + reasonNotFound = "SecretNotFound" + reasonWrongType = "SecretWrongType" + reasonMissingKeys = "SecretMissingKeys" + reasonSuccess = "Success" + reasonUnreachable = "Unreachable" + reasonInvalidTLSConfig = "InvalidTLSConfig" + reasonInvalidResponse = "InvalidResponse" + + // Errors that are generated by our reconcile process. + errFailureStatus = constable.Error("UpstreamOIDCProvider has a failing condition") + errNoCertificates = constable.Error("no certificates found") +) + +// IDPCache is a thread safe cache that holds a list of validated upstream OIDC IDP configurations. +type IDPCache interface { + SetIDPList([]provider.UpstreamOIDCIdentityProvider) +} + +// lruValidatorCache caches the *oidc.Provider associated with a particular issuer/TLS configuration. +type lruValidatorCache struct{ cache *cache.Expiring } + +func (c *lruValidatorCache) getProvider(spec *v1alpha1.UpstreamOIDCProviderSpec) *oidc.Provider { + if result, ok := c.cache.Get(c.cacheKey(spec)); ok { + return result.(*oidc.Provider) + } + return nil +} + +func (c *lruValidatorCache) putProvider(spec *v1alpha1.UpstreamOIDCProviderSpec, provider *oidc.Provider) { + c.cache.Set(c.cacheKey(spec), provider, validatorCacheTTL) +} + +func (c *lruValidatorCache) cacheKey(spec *v1alpha1.UpstreamOIDCProviderSpec) interface{} { + var key struct{ issuer, caBundle string } + key.issuer = spec.Issuer + if spec.TLS != nil { + key.caBundle = spec.TLS.CertificateAuthorityData + } + return key +} + +type controller struct { + cache IDPCache + log logr.Logger + client pinnipedclientset.Interface + providers idpinformers.UpstreamOIDCProviderInformer + secrets corev1informers.SecretInformer + validatorCache interface { + getProvider(spec *v1alpha1.UpstreamOIDCProviderSpec) *oidc.Provider + putProvider(spec *v1alpha1.UpstreamOIDCProviderSpec, provider *oidc.Provider) + } +} + +// New instantiates a new controllerlib.Controller which will populate the provided IDPCache. +func New( + idpCache IDPCache, + client pinnipedclientset.Interface, + providers idpinformers.UpstreamOIDCProviderInformer, + secrets corev1informers.SecretInformer, + log logr.Logger, +) controllerlib.Controller { + c := controller{ + cache: idpCache, + log: log.WithName(controllerName), + client: client, + providers: providers, + secrets: secrets, + validatorCache: &lruValidatorCache{cache: cache.NewExpiring()}, + } + filter := pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()) + return controllerlib.New( + controllerlib.Config{Name: controllerName, Syncer: &c}, + controllerlib.WithInformer(providers, filter, controllerlib.InformerOption{}), + controllerlib.WithInformer(secrets, filter, controllerlib.InformerOption{}), + ) +} + +// Sync implements controllerlib.Syncer. +func (c *controller) Sync(ctx controllerlib.Context) error { + actualUpstreams, err := c.providers.Lister().List(labels.Everything()) + if err != nil { + return fmt.Errorf("failed to list UpstreamOIDCProviders: %w", err) + } + + requeue := false + validatedUpstreams := make([]provider.UpstreamOIDCIdentityProvider, 0, len(actualUpstreams)) + for _, upstream := range actualUpstreams { + valid := c.validateUpstream(ctx, upstream) + if valid == nil { + requeue = true + } else { + validatedUpstreams = append(validatedUpstreams, *valid) + } + } + c.cache.SetIDPList(validatedUpstreams) + if requeue { + return controllerlib.ErrSyntheticRequeue + } + return nil +} + +// validateUpstream validates the provided v1alpha1.UpstreamOIDCProvider and returns the validated configuration as a +// provider.UpstreamOIDCIdentityProvider. As a side effect, it also updates the status of the v1alpha1.UpstreamOIDCProvider. +func (c *controller) validateUpstream(ctx controllerlib.Context, upstream *v1alpha1.UpstreamOIDCProvider) *provider.UpstreamOIDCIdentityProvider { + result := provider.UpstreamOIDCIdentityProvider{ + Name: upstream.Name, + Scopes: computeScopes(upstream.Spec.AuthorizationConfig.AdditionalScopes), + } + conditions := []*v1alpha1.Condition{ + c.validateSecret(upstream, &result), + c.validateIssuer(ctx.Context, upstream, &result), + } + c.updateStatus(ctx.Context, upstream, conditions) + + valid := true + log := c.log.WithValues("namespace", upstream.Namespace, "name", upstream.Name) + for _, condition := range conditions { + if condition.Status == v1alpha1.ConditionFalse { + valid = false + log.WithValues( + "type", condition.Type, + "reason", condition.Reason, + "message", condition.Message, + ).Error(errFailureStatus, "found failing condition") + } + } + if valid { + return &result + } + return nil +} + +// validateSecret validates the .spec.client.secretName field and returns the appropriate ClientCredentialsValid condition. +func (c *controller) validateSecret(upstream *v1alpha1.UpstreamOIDCProvider, result *provider.UpstreamOIDCIdentityProvider) *v1alpha1.Condition { + secretName := upstream.Spec.Client.SecretName + + // Fetch the Secret from informer cache. + secret, err := c.secrets.Lister().Secrets(upstream.Namespace).Get(secretName) + if err != nil { + return &v1alpha1.Condition{ + Type: typeClientCredsValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonNotFound, + Message: err.Error(), + } + } + + // Validate the secret .type field. + if secret.Type != oidcClientSecretType { + return &v1alpha1.Condition{ + Type: typeClientCredsValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonWrongType, + Message: fmt.Sprintf("referenced Secret %q has wrong type %q (should be %q)", secretName, secret.Type, oidcClientSecretType), + } + } + + // Validate the secret .data field. + clientID := secret.Data[clientIDDataKey] + clientSecret := secret.Data[clientSecretDataKey] + if len(clientID) == 0 || len(clientSecret) == 0 { + return &v1alpha1.Condition{ + Type: typeClientCredsValid, + Status: v1alpha1.ConditionFalse, + Reason: reasonMissingKeys, + Message: fmt.Sprintf("referenced Secret %q is missing required keys %q", secretName, []string{clientIDDataKey, clientSecretDataKey}), + } + } + + // If everything is valid, update the result and set the condition to true. + result.ClientID = string(clientID) + return &v1alpha1.Condition{ + Type: typeClientCredsValid, + Status: v1alpha1.ConditionTrue, + Reason: reasonSuccess, + Message: "loaded client credentials", + } +} + +// validateIssuer validates the .spec.issuer field, performs OIDC discovery, and returns the appropriate OIDCDiscoverySucceeded condition. +func (c *controller) validateIssuer(ctx context.Context, upstream *v1alpha1.UpstreamOIDCProvider, result *provider.UpstreamOIDCIdentityProvider) *v1alpha1.Condition { + // Get the provider (from cache if possible). + discoveredProvider := c.validatorCache.getProvider(&upstream.Spec) + + // If the provider does not exist in the cache, do a fresh discovery lookup and save to the cache. + if discoveredProvider == nil { + tlsConfig, err := getTLSConfig(upstream) + if err != nil { + return &v1alpha1.Condition{ + Type: typeOIDCDiscoverySucceeded, + Status: v1alpha1.ConditionFalse, + Reason: reasonInvalidTLSConfig, + Message: err.Error(), + } + } + httpClient := &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}} + + discoveredProvider, err = oidc.NewProvider(oidc.ClientContext(ctx, httpClient), upstream.Spec.Issuer) + if err != nil { + return &v1alpha1.Condition{ + Type: typeOIDCDiscoverySucceeded, + Status: v1alpha1.ConditionFalse, + Reason: reasonUnreachable, + Message: fmt.Sprintf("failed to perform OIDC discovery against %q", upstream.Spec.Issuer), + } + } + + // Update the cache with the newly discovered value. + c.validatorCache.putProvider(&upstream.Spec, discoveredProvider) + } + + // Parse out and validate the discovered authorize endpoint. + authURL, err := url.Parse(discoveredProvider.Endpoint().AuthURL) + if err != nil { + return &v1alpha1.Condition{ + Type: typeOIDCDiscoverySucceeded, + Status: v1alpha1.ConditionFalse, + Reason: reasonInvalidResponse, + Message: fmt.Sprintf("failed to parse authorization endpoint URL: %v", err), + } + } + if authURL.Scheme != "https" { + return &v1alpha1.Condition{ + Type: typeOIDCDiscoverySucceeded, + Status: v1alpha1.ConditionFalse, + Reason: reasonInvalidResponse, + Message: fmt.Sprintf(`authorization endpoint URL scheme must be "https", not %q`, authURL.Scheme), + } + } + + // If everything is valid, update the result and set the condition to true. + result.AuthorizationURL = *authURL + return &v1alpha1.Condition{ + Type: typeOIDCDiscoverySucceeded, + Status: v1alpha1.ConditionTrue, + Reason: reasonSuccess, + Message: "discovered issuer configuration", + } +} + +func getTLSConfig(upstream *v1alpha1.UpstreamOIDCProvider) (*tls.Config, error) { + result := tls.Config{ + MinVersion: tls.VersionTLS12, + } + + if upstream.Spec.TLS == nil || upstream.Spec.TLS.CertificateAuthorityData == "" { + return &result, nil + } + + bundle, err := base64.StdEncoding.DecodeString(upstream.Spec.TLS.CertificateAuthorityData) + if err != nil { + return nil, fmt.Errorf("spec.certificateAuthorityData is invalid: %w", err) + } + + result.RootCAs = x509.NewCertPool() + if !result.RootCAs.AppendCertsFromPEM(bundle) { + return nil, fmt.Errorf("spec.certificateAuthorityData is invalid: %w", errNoCertificates) + } + + return &result, nil +} + +func (c *controller) updateStatus(ctx context.Context, upstream *v1alpha1.UpstreamOIDCProvider, conditions []*v1alpha1.Condition) { + log := c.log.WithValues("namespace", upstream.Namespace, "name", upstream.Name) + updated := upstream.DeepCopy() + + updated.Status.Phase = v1alpha1.PhaseReady + + for i := range conditions { + cond := conditions[i].DeepCopy() + cond.LastTransitionTime = metav1.Now() + cond.ObservedGeneration = upstream.Generation + if mergeCondition(&updated.Status.Conditions, cond) { + log.Info("updated condition", "type", cond.Type, "status", cond.Status, "reason", cond.Reason, "message", cond.Message) + } + if cond.Status == v1alpha1.ConditionFalse { + updated.Status.Phase = v1alpha1.PhaseError + } + } + + sort.SliceStable(updated.Status.Conditions, func(i, j int) bool { + return updated.Status.Conditions[i].Type < updated.Status.Conditions[j].Type + }) + + if equality.Semantic.DeepEqual(upstream, updated) { + return + } + + _, err := c.client. + IDPV1alpha1(). + UpstreamOIDCProviders(upstream.Namespace). + UpdateStatus(ctx, updated, metav1.UpdateOptions{}) + if err != nil { + log.Error(err, "failed to update status") + } +} + +// mergeCondition merges a new v1alpha1.Condition into a slice of existing conditions. It returns true +// if the condition has meaningfully changed. +func mergeCondition(existing *[]v1alpha1.Condition, new *v1alpha1.Condition) bool { + // Find any existing condition with a matching type. + var old *v1alpha1.Condition + for i := range *existing { + if (*existing)[i].Type == new.Type { + old = &(*existing)[i] + continue + } + } + + // If there is no existing condition of this type, append this one and we're done. + if old == nil { + *existing = append(*existing, *new) + return true + } + + // Set the LastTransitionTime depending on whether the status has changed. + new = new.DeepCopy() + if old.Status == new.Status { + new.LastTransitionTime = old.LastTransitionTime + } + + // If anything has actually changed, update the entry and return true. + if !equality.Semantic.DeepEqual(old, new) { + *old = *new + return true + } + + // Otherwise the entry is already up to date. + return false +} + +func computeScopes(additionalScopes []string) []string { + // First compute the unique set of scopes, including "openid" (de-duplicate). + set := make(map[string]bool, len(additionalScopes)+1) + set["openid"] = true + for _, s := range additionalScopes { + set[s] = true + } + + // Then grab all the keys and sort them. + scopes := make([]string, 0, len(set)) + for s := range set { + scopes = append(scopes, s) + } + sort.Strings(scopes) + return scopes +} diff --git a/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher_test.go b/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher_test.go new file mode 100644 index 00000000..949effaf --- /dev/null +++ b/internal/controller/supervisorconfig/upstreamwatcher/upstreamwatcher_test.go @@ -0,0 +1,633 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package upstreamwatcher + +import ( + "context" + "encoding/base64" + "encoding/json" + "net/http" + "net/url" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/informers" + "k8s.io/client-go/kubernetes/fake" + + "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + pinnipedfake "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned/fake" + pinnipedinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions" + "go.pinniped.dev/internal/controllerlib" + "go.pinniped.dev/internal/oidc/provider" + "go.pinniped.dev/internal/testutil" + "go.pinniped.dev/internal/testutil/testlogger" +) + +func TestController(t *testing.T) { + t.Parallel() + now := metav1.NewTime(time.Now().UTC()) + earlier := metav1.NewTime(now.Add(-1 * time.Hour).UTC()) + + // Start another test server that answers discovery successfully. + testIssuerCA, testIssuerURL := newTestIssuer(t) + testIssuerCABase64 := base64.StdEncoding.EncodeToString([]byte(testIssuerCA)) + testIssuerAuthorizeURL, err := url.Parse("https://example.com/authorize") + require.NoError(t, err) + + var ( + testNamespace = "test-namespace" + testName = "test-name" + testSecretName = "test-client-secret" + testAdditionalScopes = []string{"scope1", "scope2", "scope3"} + testExpectedScopes = []string{"openid", "scope1", "scope2", "scope3"} + testClientID = "test-oidc-client-id" + testClientSecret = "test-oidc-client-secret" + testValidSecretData = map[string][]byte{"clientID": []byte(testClientID), "clientSecret": []byte(testClientSecret)} + ) + tests := []struct { + name string + inputUpstreams []runtime.Object + inputSecrets []runtime.Object + wantErr string + wantLogs []string + wantResultingCache []provider.UpstreamOIDCIdentityProvider + wantResultingUpstreams []v1alpha1.UpstreamOIDCProvider + }{ + { + name: "no upstreams", + }, + { + name: "missing secret", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + }, + }}, + inputSecrets: []runtime.Object{}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="secret \"test-client-secret\" not found" "reason"="SecretNotFound" "status"="False" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="secret \"test-client-secret\" not found" "name"="test-name" "namespace"="test-namespace" "reason"="SecretNotFound" "type"="ClientCredentialsValid"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "False", + LastTransitionTime: now, + Reason: "SecretNotFound", + Message: `secret "test-client-secret" not found`, + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "discovered issuer configuration", + }, + }, + }, + }}, + }, + { + name: "secret has wrong type", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "some-other-type", + Data: testValidSecretData, + }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="referenced Secret \"test-client-secret\" has wrong type \"some-other-type\" (should be \"secrets.pinniped.dev/oidc-client\")" "reason"="SecretWrongType" "status"="False" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="referenced Secret \"test-client-secret\" has wrong type \"some-other-type\" (should be \"secrets.pinniped.dev/oidc-client\")" "name"="test-name" "namespace"="test-namespace" "reason"="SecretWrongType" "type"="ClientCredentialsValid"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "False", + LastTransitionTime: now, + Reason: "SecretWrongType", + Message: `referenced Secret "test-client-secret" has wrong type "some-other-type" (should be "secrets.pinniped.dev/oidc-client")`, + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "discovered issuer configuration", + }, + }, + }, + }}, + }, + { + name: "secret is missing key", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="referenced Secret \"test-client-secret\" is missing required keys [\"clientID\" \"clientSecret\"]" "reason"="SecretMissingKeys" "status"="False" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="referenced Secret \"test-client-secret\" is missing required keys [\"clientID\" \"clientSecret\"]" "name"="test-name" "namespace"="test-namespace" "reason"="SecretMissingKeys" "type"="ClientCredentialsValid"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "False", + LastTransitionTime: now, + Reason: "SecretMissingKeys", + Message: `referenced Secret "test-client-secret" is missing required keys ["clientID" "clientSecret"]`, + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "discovered issuer configuration", + }, + }, + }, + }}, + }, + { + name: "TLS CA bundle is invalid base64", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test-name"}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{ + CertificateAuthorityData: "invalid-base64", + }, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")}, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7" "reason"="InvalidTLSConfig" "status"="False" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidTLSConfig" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + LastTransitionTime: now, + Reason: "InvalidTLSConfig", + Message: `spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7`, + }, + }, + }, + }}, + }, + { + name: "TLS CA bundle does not have any certificates", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test-name"}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("not-a-pem-ca-bundle")), + }, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")}, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="spec.certificateAuthorityData is invalid: no certificates found" "reason"="InvalidTLSConfig" "status"="False" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="spec.certificateAuthorityData is invalid: no certificates found" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidTLSConfig" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + LastTransitionTime: now, + Reason: "InvalidTLSConfig", + Message: `spec.certificateAuthorityData is invalid: no certificates found`, + }, + }, + }, + }}, + }, + { + name: "issuer is invalid URL", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: "invalid-url", + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"invalid-url\"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="failed to perform OIDC discovery against \"invalid-url\"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + LastTransitionTime: now, + Reason: "Unreachable", + Message: `failed to perform OIDC discovery against "invalid-url"`, + }, + }, + }, + }}, + }, + { + name: "issuer returns invalid authorize URL", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL + "/invalid", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to parse authorization endpoint URL: parse \"%\": invalid URL escape \"%\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="failed to parse authorization endpoint URL: parse \"%\": invalid URL escape \"%\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + LastTransitionTime: now, + Reason: "InvalidResponse", + Message: `failed to parse authorization endpoint URL: parse "%": invalid URL escape "%"`, + }, + }, + }, + }}, + }, + { + name: "issuer returns insecure authorize URL", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL + "/insecure", + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantErr: controllerlib.ErrSyntheticRequeue.Error(), + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="authorization endpoint URL scheme must be \"https\", not \"http\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded"`, + `upstream-observer "error"="UpstreamOIDCProvider has a failing condition" "msg"="found failing condition" "message"="authorization endpoint URL scheme must be \"https\", not \"http\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: "True", + LastTransitionTime: now, + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + LastTransitionTime: now, + Reason: "InvalidResponse", + Message: `authorization endpoint URL scheme must be "https", not "http"`, + }, + }, + }, + }}, + }, + { + name: "upstream becomes valid", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: "test-name"}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: append(testAdditionalScopes, "xyz", "openid")}, + }, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Error", + Conditions: []v1alpha1.Condition{ + {Type: "ClientCredentialsValid", Status: "False", LastTransitionTime: earlier, Reason: "SomeError1", Message: "some previous error 1"}, + {Type: "OIDCDiscoverySucceeded", Status: "False", LastTransitionTime: earlier, Reason: "SomeError2", Message: "some previous error 2"}, + }, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{{ + Name: testName, + ClientID: testClientID, + AuthorizationURL: *testIssuerAuthorizeURL, + Scopes: append(testExpectedScopes, "xyz"), + }}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Ready", + Conditions: []v1alpha1.Condition{ + {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "loaded client credentials"}, + {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: now, Reason: "Success", Message: "discovered issuer configuration"}, + }, + }, + }}, + }, + { + name: "existing valid upstream", + inputUpstreams: []runtime.Object{&v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234}, + Spec: v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: testIssuerURL, + TLS: &v1alpha1.TLSSpec{CertificateAuthorityData: testIssuerCABase64}, + Client: v1alpha1.OIDCClient{SecretName: testSecretName}, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{AdditionalScopes: testAdditionalScopes}, + }, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Ready", + Conditions: []v1alpha1.Condition{ + {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials"}, + {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration"}, + }, + }, + }}, + inputSecrets: []runtime.Object{&corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testSecretName}, + Type: "secrets.pinniped.dev/oidc-client", + Data: testValidSecretData, + }}, + wantLogs: []string{ + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, + `upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded"`, + }, + wantResultingCache: []provider.UpstreamOIDCIdentityProvider{{ + Name: testName, + ClientID: testClientID, + AuthorizationURL: *testIssuerAuthorizeURL, + Scopes: testExpectedScopes, + }}, + wantResultingUpstreams: []v1alpha1.UpstreamOIDCProvider{{ + ObjectMeta: metav1.ObjectMeta{Namespace: testNamespace, Name: testName, Generation: 1234}, + Status: v1alpha1.UpstreamOIDCProviderStatus{ + Phase: "Ready", + Conditions: []v1alpha1.Condition{ + {Type: "ClientCredentialsValid", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "loaded client credentials", ObservedGeneration: 1234}, + {Type: "OIDCDiscoverySucceeded", Status: "True", LastTransitionTime: earlier, Reason: "Success", Message: "discovered issuer configuration", ObservedGeneration: 1234}, + }, + }, + }}, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + fakePinnipedClient := pinnipedfake.NewSimpleClientset(tt.inputUpstreams...) + pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0) + fakeKubeClient := fake.NewSimpleClientset(tt.inputSecrets...) + kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0) + testLog := testlogger.New(t) + cache := provider.NewDynamicUpstreamIDPProvider() + cache.SetIDPList([]provider.UpstreamOIDCIdentityProvider{{Name: "initial-entry"}}) + + controller := New( + cache, + fakePinnipedClient, + pinnipedInformers.IDP().V1alpha1().UpstreamOIDCProviders(), + kubeInformers.Core().V1().Secrets(), + testLog) + + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + pinnipedInformers.Start(ctx.Done()) + kubeInformers.Start(ctx.Done()) + controllerlib.TestRunSynchronously(t, controller) + + syncCtx := controllerlib.Context{Context: ctx, Key: controllerlib.Key{}} + + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + require.Equal(t, strings.Join(tt.wantLogs, "\n"), strings.Join(testLog.Lines(), "\n")) + require.ElementsMatch(t, tt.wantResultingCache, cache.GetIDPList()) + + actualUpstreams, err := fakePinnipedClient.IDPV1alpha1().UpstreamOIDCProviders(testNamespace).List(ctx, metav1.ListOptions{}) + require.NoError(t, err) + + // Preprocess the set of upstreams a bit so that they're easier to assert against. + require.ElementsMatch(t, tt.wantResultingUpstreams, normalizeUpstreams(actualUpstreams.Items, now)) + + // Running the sync() a second time should be idempotent except for logs, and should return the same error. + // This also helps exercise code paths where the OIDC provider discovery hits cache. + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + }) + } +} + +func normalizeUpstreams(upstreams []v1alpha1.UpstreamOIDCProvider, now metav1.Time) []v1alpha1.UpstreamOIDCProvider { + result := make([]v1alpha1.UpstreamOIDCProvider, 0, len(upstreams)) + for _, u := range upstreams { + normalized := u.DeepCopy() + + // We're only interested in comparing the status, so zero out the spec. + normalized.Spec = v1alpha1.UpstreamOIDCProviderSpec{} + + // Round down the LastTransitionTime values to `now` if they were just updated. This makes + // it much easier to encode assertions about the expected timestamps. + for i := range normalized.Status.Conditions { + if time.Since(normalized.Status.Conditions[i].LastTransitionTime.Time) < 5*time.Second { + normalized.Status.Conditions[i].LastTransitionTime = now + } + } + result = append(result, *normalized) + } + + return result +} + +func newTestIssuer(t *testing.T) (string, string) { + mux := http.NewServeMux() + caBundlePEM, testURL := testutil.TLSTestServer(t, mux.ServeHTTP) + + type providerJSON struct { + Issuer string `json:"issuer"` + AuthURL string `json:"authorization_endpoint"` + TokenURL string `json:"token_endpoint"` + JWKSURL string `json:"jwks_uri"` + } + + // At the root of the server, serve an issuer with a valid discovery response. + mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + _ = json.NewEncoder(w).Encode(&providerJSON{ + Issuer: testURL, + AuthURL: "https://example.com/authorize", + }) + }) + + // At "/invalid", serve an issuer that returns an invalid authorization URL (not parseable). + mux.HandleFunc("/invalid/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + _ = json.NewEncoder(w).Encode(&providerJSON{ + Issuer: testURL + "/invalid", + AuthURL: "%", + }) + }) + + // At "/insecure", serve an issuer that returns an insecure authorization URL (not https://). + mux.HandleFunc("/insecure/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + _ = json.NewEncoder(w).Encode(&providerJSON{ + Issuer: testURL + "/insecure", + AuthURL: "http://example.com/authorize", + }) + }) + + return caBundlePEM, testURL +} diff --git a/internal/oidcclient/login.go b/internal/oidcclient/login.go index 5ab3b5ff..6fda48c9 100644 --- a/internal/oidcclient/login.go +++ b/internal/oidcclient/login.go @@ -44,6 +44,8 @@ type handlerState struct { scopes []string cache SessionCache + httpClient *http.Client + // Parameters of the localhost listener. listenAddr string callbackPath string @@ -122,6 +124,14 @@ func WithSessionCache(cache SessionCache) Option { } } +// WithClient sets the HTTP client used to make CLI-to-provider requests. +func WithClient(httpClient *http.Client) Option { + return func(h *handlerState) error { + h.httpClient = httpClient + return nil + } +} + // nopCache is a SessionCache that doesn't actually do anything. type nopCache struct{} @@ -144,6 +154,7 @@ func Login(issuer string, clientID string, opts ...Option) (*Token, error) { callbackPath: "/callback", ctx: context.Background(), callbacks: make(chan callbackResult), + httpClient: http.DefaultClient, // Default implementations of external dependencies (to be mocked in tests). generateState: state.Generate, @@ -163,6 +174,7 @@ func Login(issuer string, clientID string, opts ...Option) (*Token, error) { // Always set a long, but non-infinite timeout for this operation. ctx, cancel := context.WithTimeout(h.ctx, 10*time.Minute) defer cancel() + ctx = oidc.ClientContext(ctx, h.httpClient) h.ctx = ctx // Initialize login parameters. diff --git a/internal/oidcclient/login_test.go b/internal/oidcclient/login_test.go index ea12737f..35574ba0 100644 --- a/internal/oidcclient/login_test.go +++ b/internal/oidcclient/login_test.go @@ -416,6 +416,7 @@ func TestLogin(t *testing.T) { require.Equal(t, []*Token{&testToken}, cache.sawPutTokens) }) require.NoError(t, WithSessionCache(cache)(h)) + require.NoError(t, WithClient(&http.Client{Timeout: 10 * time.Second})(h)) h.openURL = func(actualURL string) error { parsedActualURL, err := url.Parse(actualURL) diff --git a/internal/registry/credentialrequest/rest.go b/internal/registry/credentialrequest/rest.go index 4dbfe7c5..fcbb0516 100644 --- a/internal/registry/credentialrequest/rest.go +++ b/internal/registry/credentialrequest/rest.go @@ -22,14 +22,7 @@ import ( ) // clientCertificateTTL is the TTL for short-lived client certificates returned by this API. -const clientCertificateTTL = 1 * time.Hour - -type Storage interface { - rest.Creater - rest.NamespaceScopedStrategy - rest.Scoper - rest.Storage -} +const clientCertificateTTL = 5 * time.Minute type CertIssuer interface { IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error) @@ -51,6 +44,15 @@ type REST struct { issuer CertIssuer } +// Assert that our *REST implements all the optional interfaces that we expect it to implement. +var _ interface { + rest.Creater + rest.NamespaceScopedStrategy + rest.Scoper + rest.Storage + rest.CategoriesProvider +} = (*REST)(nil) + func (*REST) New() runtime.Object { return &loginapi.TokenCredentialRequest{} } @@ -59,6 +61,10 @@ func (*REST) NamespaceScoped() bool { return true } +func (*REST) Categories() []string { + return []string{"pinniped"} +} + func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) { t := trace.FromContext(ctx).Nest("create", trace.Field{ Key: "kind", diff --git a/internal/registry/credentialrequest/rest_test.go b/internal/registry/credentialrequest/rest_test.go index 4bebbc53..4b311715 100644 --- a/internal/registry/credentialrequest/rest_test.go +++ b/internal/registry/credentialrequest/rest_test.go @@ -31,6 +31,7 @@ func TestNew(t *testing.T) { r := NewREST(nil, nil) require.NotNil(t, r) require.True(t, r.NamespaceScoped()) + require.Equal(t, []string{"pinniped"}, r.Categories()) require.IsType(t, &loginapi.TokenCredentialRequest{}, r.New()) } @@ -69,7 +70,7 @@ func TestCreate(t *testing.T) { CommonName: "test-user", Organization: []string{"test-group-1", "test-group-2"}}, []string{}, - 1*time.Hour, + 5*time.Minute, ).Return([]byte("test-cert"), []byte("test-key"), nil) storage := NewREST(requestAuthenticator, issuer) @@ -81,7 +82,7 @@ func TestCreate(t *testing.T) { expires := response.(*loginapi.TokenCredentialRequest).Status.Credential.ExpirationTimestamp r.NotNil(expires) - r.InDelta(time.Now().Add(1*time.Hour).Unix(), expires.Unix(), 5) + r.InDelta(time.Now().Add(5*time.Minute).Unix(), expires.Unix(), 5) response.(*loginapi.TokenCredentialRequest).Status.Credential.ExpirationTimestamp = metav1.Time{} r.Equal(response, &loginapi.TokenCredentialRequest{ diff --git a/site/content/docs/architecture.md b/site/content/docs/architecture.md index e79060a7..64fb5715 100644 --- a/site/content/docs/architecture.md +++ b/site/content/docs/architecture.md @@ -42,7 +42,7 @@ Pinniped supports the following external IDP types. serve as an extension point for Pinniped by allowing for integration of arbitrary custom authenticators. While a custom implementation may be in any language or framework, this project provides a sample implementation in Golang. See the `ServeHTTP` method of - [cmd/local-user-authenticator/main.go](https://github.com/vmware-tanzu/pinniped/cmd/local-user-authenticator/main.go). + [cmd/local-user-authenticator/main.go](https://github.com/vmware-tanzu/pinniped/blob/main/cmd/local-user-authenticator/main.go). More IDP types are coming soon. @@ -71,7 +71,7 @@ With any of the above IDPs and integration strategies, `kubectl` commands receiv cluster-specific credential via a [Kubernetes client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins). Users may use the Pinniped CLI as the credential plugin, or they may use any proprietary CLI -built with the [Pinniped Go client library](https://github.com/vmware-tanzu/pinniped/generated). +built with the [Pinniped Go client library](https://github.com/vmware-tanzu/pinniped/tree/main/generated). ## Example Cluster Authentication Sequence Diagram diff --git a/site/content/docs/scope.md b/site/content/docs/scope.md index 418e6079..3b52f03f 100644 --- a/site/content/docs/scope.md +++ b/site/content/docs/scope.md @@ -36,4 +36,4 @@ The following items are out of scope for the Pinniped project. More details coming soon! For more details on proposing features and bugs, check out our -[contributing](../CONTRIBUTING.md) doc. +[contributing](https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md) doc. diff --git a/site/themes/pinniped/layouts/partials/use-cases.html b/site/themes/pinniped/layouts/partials/use-cases.html index 5e0e0755..740956b3 100644 --- a/site/themes/pinniped/layouts/partials/use-cases.html +++ b/site/themes/pinniped/layouts/partials/use-cases.html @@ -12,8 +12,8 @@
-

Cluster Administration

-

Easily plug in external IDPs into Kubernetes clusters while offering a simple install and configuration experience. Leverage first class integration with Kubernetes and kubectl CLI.

+

Seamless Authentication

+

Give users a consistent, unified login experience across all your clusters, including on-premises and managed cloud environments.

@@ -25,8 +25,8 @@
-

Cluster Administration

-

Easily plug in external IDPs into Kubernetes clusters while offering a simple install and configuration experience. Leverage first class integration with Kubernetes and kubectl CLI.

+

Security for Enterprises & Teams Alike

+

Securely integrate with an enterprise IDP using standard protocols or use secure, externally-managed identities instead of relying on simple, shared credentials.

diff --git a/test/deploy/dex/dex.yaml b/test/deploy/dex/dex.yaml index dcea584f..6372d49a 100644 --- a/test/deploy/dex/dex.yaml +++ b/test/deploy/dex/dex.yaml @@ -6,13 +6,15 @@ #@ load("@ytt:yaml", "yaml") #@ def dexConfig(): -issuer: #@ "http://127.0.0.1:" + str(data.values.ports.local) + "/dex" +issuer: https://dex.dex.svc.cluster.local/dex storage: type: sqlite3 config: file: ":memory:" web: - http: 0.0.0.0:5556 + https: 0.0.0.0:443 + tlsCert: /var/certs/dex.pem + tlsKey: /var/certs/dex-key.pem oauth2: skipApprovalScreen: true staticClients: @@ -67,24 +69,59 @@ spec: annotations: dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig())) spec: + initContainers: + - name: generate-certs + image: cfssl/cfssl:1.5.0 + imagePullPolicy: IfNotPresent + command: ["/bin/bash"] + args: + - -c + - | + cd /var/certs + cfssl print-defaults config > /tmp/cfssl-default.json + echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json + + echo "generating CA key..." + cfssl genkey \ + -config /tmp/cfssl-default.json \ + -initca csr.json \ + | cfssljson -bare ca + + echo "generating Dex server certificate..." + cfssl gencert \ + -ca ca.pem -ca-key ca-key.pem \ + -config /tmp/cfssl-default.json \ + -profile www \ + -cn "dex.dex.svc.cluster.local" \ + -hostname "dex.dex.svc.cluster.local" \ + csr.json \ + | cfssljson -bare dex + volumeMounts: + - name: certs + mountPath: /var/certs containers: - - name: dex - image: quay.io/dexidp/dex:v2.10.0 - imagePullPolicy: IfNotPresent - command: - - /usr/local/bin/dex - - serve - - /etc/dex/cfg/config.yaml - ports: - - name: http - containerPort: 5556 - volumeMounts: - - name: config - mountPath: /etc/dex/cfg + - name: dex + image: quay.io/dexidp/dex:v2.10.0 + imagePullPolicy: IfNotPresent + command: + - /usr/local/bin/dex + - serve + - /etc/dex/cfg/config.yaml + ports: + - name: https + containerPort: 443 + volumeMounts: + - name: dex-config + mountPath: /etc/dex/cfg + - name: certs + mountPath: /var/certs + readOnly: true volumes: - - name: config + - name: dex-config configMap: name: dex-config + - name: certs + emptyDir: {} --- apiVersion: v1 kind: Service @@ -94,9 +131,9 @@ metadata: labels: app: dex spec: - type: NodePort + type: ClusterIP selector: app: dex ports: - - port: 5556 - nodePort: #@ data.values.ports.node + - port: 443 + name: https diff --git a/test/deploy/dex/proxy.yaml b/test/deploy/dex/proxy.yaml new file mode 100644 index 00000000..1d7d8a66 --- /dev/null +++ b/test/deploy/dex/proxy.yaml @@ -0,0 +1,58 @@ +#! Copyright 2020 the Pinniped contributors. All Rights Reserved. +#! SPDX-License-Identifier: Apache-2.0 + +#@ load("@ytt:data", "data") +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: proxy + namespace: dex + labels: + app: proxy +spec: + replicas: 1 + selector: + matchLabels: + app: proxy + template: + metadata: + labels: + app: proxy + spec: + containers: + - name: proxy + image: docker.io/getpinniped/test-forward-proxy + imagePullPolicy: Always + ports: + - name: http + containerPort: 3128 + resources: + requests: + cpu: "10m" + memory: "64Mi" + limits: + cpu: "10m" + memory: "64Mi" + readinessProbe: + tcpSocket: + port: http + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 5 + failureThreshold: 2 +--- +apiVersion: v1 +kind: Service +metadata: + name: proxy + namespace: dex + labels: + app: proxy +spec: + type: NodePort + selector: + app: proxy + ports: + - port: 3128 + nodePort: #@ data.values.ports.node \ No newline at end of file diff --git a/test/deploy/dex/values.yaml b/test/deploy/dex/values.yaml index 7d04cdb1..27022cdb 100644 --- a/test/deploy/dex/values.yaml +++ b/test/deploy/dex/values.yaml @@ -8,10 +8,10 @@ ports: #! Used in the Dex configuration to form the valid redirect URIs for our test client. cli: 48095 - #! Kubernetes NodePort that should be forwarded to the Dex service. + #! Kubernetes NodePort that should be forwarded to the proxy service. #! Used to create a Service of type: NodePort node: 31235 - #! External port where Dex ends up exposed on localhost during tests. This value comes from our - #! Kind configuration which maps 127.0.0.1:12346 to port 31235 on the Kind worker node. + #! External port where the proxy ends up exposed on localhost during tests. This value comes from + #! our Kind configuration which maps 127.0.0.1:12346 to port 31235 on the Kind worker node. local: 12346 diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go index 93d8fb19..6a1c2a15 100644 --- a/test/integration/cli_test.go +++ b/test/integration/cli_test.go @@ -130,8 +130,8 @@ func getLoginProvider(t *testing.T) *loginProviderPatterns { }, { Name: "Dex", - IssuerPattern: regexp.MustCompile(`\Ahttp://127\.0\.0\.1.+/dex.*\z`), - LoginPagePattern: regexp.MustCompile(`\Ahttp://127\.0\.0\.1.+/dex/auth/local.+\z`), + IssuerPattern: regexp.MustCompile(`\Ahttps://dex\.dex\.svc\.cluster\.local/dex.*\z`), + LoginPagePattern: regexp.MustCompile(`\Ahttps://dex\.dex\.svc\.cluster\.local/dex/auth/local.+\z`), UsernameSelector: "input#login", PasswordSelector: "input#password", LoginButtonSelector: "button#submit-login", @@ -156,9 +156,21 @@ func TestCLILoginOIDC(t *testing.T) { // Start the browser driver. t.Logf("opening browser driver") + caps := agouti.NewCapabilities() + if env.Proxy != "" { + t.Logf("configuring Chrome to use proxy %q", env.Proxy) + caps = caps.Proxy(agouti.ProxyConfig{ + ProxyType: "manual", + HTTPProxy: env.Proxy, + SSLProxy: env.Proxy, + NoProxy: "127.0.0.1", + }) + } agoutiDriver := agouti.ChromeDriver( + agouti.Desired(caps), agouti.ChromeOptions("args", []string{ "--no-sandbox", + "--ignore-certificate-errors", "--headless", // Comment out this line to see the tests happen in a visible browser window. }), // Uncomment this to see stdout/stderr from chromedriver. @@ -395,11 +407,28 @@ func spawnTestGoroutine(t *testing.T, f func() error) { func oidcLoginCommand(ctx context.Context, t *testing.T, pinnipedExe string, sessionCachePath string) *exec.Cmd { env := library.IntegrationEnv(t) - return exec.CommandContext(ctx, pinnipedExe, "login", "oidc", + cmd := exec.CommandContext(ctx, pinnipedExe, "login", "oidc", "--issuer", env.OIDCUpstream.Issuer, "--client-id", env.OIDCUpstream.ClientID, "--listen-port", strconv.Itoa(env.OIDCUpstream.LocalhostPort), "--session-cache", sessionCachePath, "--skip-browser", ) + + // If there is a custom CA bundle, pass it via --ca-bundle and a temporary file. + if env.OIDCUpstream.CABundle != "" { + path := filepath.Join(t.TempDir(), "test-ca.pem") + require.NoError(t, ioutil.WriteFile(path, []byte(env.OIDCUpstream.CABundle), 0600)) + cmd.Args = append(cmd.Args, "--ca-bundle", path) + } + + // If there is a custom proxy, set it using standard environment variables. + if env.Proxy != "" { + cmd.Env = append(os.Environ(), + "http_proxy="+env.Proxy, + "https_proxy="+env.Proxy, + "no_proxy=127.0.0.1", + ) + } + return cmd } diff --git a/test/integration/client_test.go b/test/integration/client_test.go index 6e470120..64dd1aba 100644 --- a/test/integration/client_test.go +++ b/test/integration/client_test.go @@ -78,7 +78,7 @@ func TestClient(t *testing.T) { require.NoError(t, err) require.NotNil(t, resp.Status.ExpirationTimestamp) - require.InDelta(t, time.Until(resp.Status.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute)) + require.InDelta(t, 5*time.Minute, time.Until(resp.Status.ExpirationTimestamp.Time), float64(time.Minute)) // Create a client using the certificate and key returned by the token exchange. validClient := library.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData) diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go index ba151358..30ca7eb3 100644 --- a/test/integration/concierge_credentialrequest_test.go +++ b/test/integration/concierge_credentialrequest_test.go @@ -64,7 +64,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) { require.ElementsMatch(t, env.TestUser.ExpectedGroups, getOrganizations(t, response.Status.Credential.ClientCertificateData)) require.NotEmpty(t, response.Status.Credential.ClientKeyData) require.NotNil(t, response.Status.Credential.ExpirationTimestamp) - require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute)) + require.InDelta(t, 5*time.Minute, time.Until(response.Status.Credential.ExpirationTimestamp.Time), float64(time.Minute)) // Create a client using the admin kubeconfig. adminClient := library.NewClientset(t) diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index 5a2bd8f7..d04b1b42 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -17,8 +17,7 @@ import ( func TestGetAPIResourceList(t *testing.T) { library.SkipUnlessIntegration(t) - client := library.NewConciergeClientset(t) - + client := library.NewClientset(t) groups, resources, err := client.Discovery().ServerGroupsAndResources() require.NoError(t, err) @@ -47,6 +46,7 @@ func TestGetAPIResourceList(t *testing.T) { Kind: "TokenCredentialRequest", Verbs: []string{"create"}, Namespaced: true, + Categories: []string{"pinniped"}, }, }, }, @@ -78,6 +78,39 @@ func TestGetAPIResourceList(t *testing.T) { }, }, }, + { + group: metav1.APIGroup{ + Name: "idp.supervisor.pinniped.dev", + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: "idp.supervisor.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: "idp.supervisor.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + resourceByVersion: map[string][]metav1.APIResource{ + "idp.supervisor.pinniped.dev/v1alpha1": { + { + Name: "upstreamoidcproviders", + SingularName: "upstreamoidcprovider", + Namespaced: true, + Kind: "UpstreamOIDCProvider", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + Categories: []string{"pinniped", "pinniped-idp", "pinniped-idps"}, + }, + { + Name: "upstreamoidcproviders/status", + Namespaced: true, + Kind: "UpstreamOIDCProvider", + Verbs: []string{"get", "patch", "update"}, + }, + }, + }, + }, { group: metav1.APIGroup{ Name: "config.concierge.pinniped.dev", @@ -155,9 +188,10 @@ func TestGetAPIResourceList(t *testing.T) { continue } for _, a := range r.APIResources { - if a.Kind != "TokenCredentialRequest" { - assert.Containsf(t, a.Categories, "pinniped", "expected resource %q to be in the 'pinniped' category", a.Name) + if strings.HasSuffix(a.Name, "/status") { + continue } + assert.Containsf(t, a.Categories, "pinniped", "expected resource %q to be in the 'pinniped' category", a.Name) assert.NotContainsf(t, a.Categories, "all", "expected resource %q not to be in the 'all' category", a.Name) } } diff --git a/test/integration/supervisor_upstream_test.go b/test/integration/supervisor_upstream_test.go new file mode 100644 index 00000000..c96ae7af --- /dev/null +++ b/test/integration/supervisor_upstream_test.go @@ -0,0 +1,163 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package integration + +import ( + "context" + "encoding/base64" + "testing" + "time" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1" + "go.pinniped.dev/test/library" +) + +func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) { + env := library.IntegrationEnv(t) + + t.Run("invalid missing secret and bad issuer", func(t *testing.T) { + t.Parallel() + spec := v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: "https://127.0.0.1:444444/issuer", + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: []string{"email", "profile"}, + }, + Client: v1alpha1.OIDCClient{ + SecretName: "does-not-exist", + }, + } + upstream := makeTestUpstream(t, spec, v1alpha1.PhaseError) + expectUpstreamConditions(t, upstream, []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: v1alpha1.ConditionFalse, + Reason: "SecretNotFound", + Message: `secret "does-not-exist" not found`, + }, + { + Type: "OIDCDiscoverySucceeded", + Status: v1alpha1.ConditionFalse, + Reason: "Unreachable", + Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/issuer"`, + }, + }) + }) + + t.Run("valid", func(t *testing.T) { + t.Parallel() + spec := v1alpha1.UpstreamOIDCProviderSpec{ + Issuer: env.OIDCUpstream.Issuer, + TLS: &v1alpha1.TLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.OIDCUpstream.CABundle)), + }, + AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: []string{"email", "profile"}, + }, + Client: v1alpha1.OIDCClient{ + SecretName: makeTestClientCredsSecret(t, "test-client-id", "test-client-secret").Name, + }, + } + upstream := makeTestUpstream(t, spec, v1alpha1.PhaseReady) + expectUpstreamConditions(t, upstream, []v1alpha1.Condition{ + { + Type: "ClientCredentialsValid", + Status: v1alpha1.ConditionTrue, + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: v1alpha1.ConditionTrue, + Reason: "Success", + Message: "discovered issuer configuration", + }, + }) + }) +} + +func expectUpstreamConditions(t *testing.T, upstream *v1alpha1.UpstreamOIDCProvider, expected []v1alpha1.Condition) { + t.Helper() + normalized := make([]v1alpha1.Condition, 0, len(upstream.Status.Conditions)) + for _, c := range upstream.Status.Conditions { + c.ObservedGeneration = 0 + c.LastTransitionTime = metav1.Time{} + normalized = append(normalized, c) + } + require.ElementsMatch(t, expected, normalized) +} + +func makeTestClientCredsSecret(t *testing.T, clientID string, clientSecret string) *corev1.Secret { + t.Helper() + env := library.IntegrationEnv(t) + client := library.NewClientset(t) + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() + + created, err := client.CoreV1().Secrets(env.SupervisorNamespace).Create(ctx, &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: env.SupervisorNamespace, + GenerateName: "test-client-creds-", + Labels: map[string]string{"pinniped.dev/test": ""}, + Annotations: map[string]string{"pinniped.dev/testName": t.Name()}, + }, + Type: "secrets.pinniped.dev/oidc-client", + StringData: map[string]string{ + "clientID": clientID, + "clientSecret": clientSecret, + }, + }, metav1.CreateOptions{}) + require.NoError(t, err) + t.Cleanup(func() { + err := client.CoreV1().Secrets(env.SupervisorNamespace).Delete(context.Background(), created.Name, metav1.DeleteOptions{}) + require.NoError(t, err) + }) + t.Logf("created test client credentials Secret %s", created.Name) + return created +} + +func makeTestUpstream(t *testing.T, spec v1alpha1.UpstreamOIDCProviderSpec, expectedPhase v1alpha1.UpstreamOIDCProviderPhase) *v1alpha1.UpstreamOIDCProvider { + t.Helper() + env := library.IntegrationEnv(t) + client := library.NewSupervisorClientset(t) + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) + defer cancel() + + // Create the UpstreamOIDCProvider using GenerateName to get a random name. + created, err := client.IDPV1alpha1(). + UpstreamOIDCProviders(env.SupervisorNamespace). + Create(ctx, &v1alpha1.UpstreamOIDCProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: env.SupervisorNamespace, + GenerateName: "test-upstream-", + Labels: map[string]string{"pinniped.dev/test": ""}, + Annotations: map[string]string{"pinniped.dev/testName": t.Name()}, + }, + Spec: spec, + }, metav1.CreateOptions{}) + require.NoError(t, err) + + // Always clean this up after this point. + t.Cleanup(func() { + err := client.IDPV1alpha1(). + UpstreamOIDCProviders(env.SupervisorNamespace). + Delete(context.Background(), created.Name, metav1.DeleteOptions{}) + require.NoError(t, err) + }) + t.Logf("created test UpstreamOIDCProvider %s", created.Name) + + // Wait for the UpstreamOIDCProvider to enter the expected phase (or time out). + var result *v1alpha1.UpstreamOIDCProvider + require.Eventuallyf(t, func() bool { + var err error + result, err = client.IDPV1alpha1(). + UpstreamOIDCProviders(created.Namespace).Get(ctx, created.Name, metav1.GetOptions{}) + require.NoError(t, err) + return result.Status.Phase == expectedPhase + }, 60*time.Second, 1*time.Second, "expected the UpstreamOIDCProvider to go into phase %s", expectedPhase) + return result +} diff --git a/test/library/env.go b/test/library/env.go index 8cba1c11..ce7e5f94 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -38,6 +38,7 @@ type TestEnv struct { SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"` SupervisorHTTPSIngressAddress string `json:"supervisorHttpsIngressAddress"` SupervisorHTTPSIngressCABundle string `json:"supervisorHttpsIngressCABundle"` + Proxy string `json:"proxy"` TestUser struct { Token string `json:"token"` @@ -47,6 +48,7 @@ type TestEnv struct { OIDCUpstream struct { Issuer string `json:"issuer"` + CABundle string `json:"caBundle" ` ClientID string `json:"clientID"` LocalhostPort int `json:"localhostPort"` Username string `json:"username"` @@ -126,8 +128,10 @@ func loadEnvVars(t *testing.T, result *TestEnv) { require.NoErrorf(t, err, "PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS must be a YAML map of string to string") result.SupervisorCustomLabels = supervisorCustomLabels require.NotEmpty(t, result.SupervisorCustomLabels, "PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS cannot be empty") + result.Proxy = os.Getenv("PINNIPED_TEST_PROXY") result.OIDCUpstream.Issuer = needEnv(t, "PINNIPED_TEST_CLI_OIDC_ISSUER") + result.OIDCUpstream.CABundle = os.Getenv("PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE") result.OIDCUpstream.ClientID = needEnv(t, "PINNIPED_TEST_CLI_OIDC_CLIENT_ID") result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv(t, "PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT")) result.OIDCUpstream.Username = needEnv(t, "PINNIPED_TEST_CLI_OIDC_USERNAME")