Fix some disallowed kubebuilder annotations, fix kube api discovery test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Margo Crawford
parent
cd47ba53c2
commit
ca3da0bc90
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -18,9 +18,6 @@ spec:
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
||||
name: Privileged
|
||||
type: boolean
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
@ -60,7 +57,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedRedirectURIs:
|
||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||
param values that should be accepted during OIDC flows with this
|
||||
@ -70,7 +66,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
allowedScopes:
|
||||
description: "allowedScopes is a list of the allowed scopes param
|
||||
values that should be accepted during OIDC flows with this client.
|
||||
@ -97,7 +92,6 @@ spec:
|
||||
type: string
|
||||
minItems: 1
|
||||
type: array
|
||||
uniqueItems: true
|
||||
required:
|
||||
- allowedGrantTypes
|
||||
- allowedRedirectURIs
|
||||
|
||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||
// client. Any other uris will be rejected.
|
||||
// Must be https, unless it is a loopback.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||
|
||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||
// which is a step in the process to be able to get a cluster credential for the user.
|
||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||
|
||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||
// if their group membership is discoverable by the Supervisor.
|
||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||
// +kubebuilder:validation:UniqueItems=true
|
||||
// +kubebuilder:validation:MinItems=1
|
||||
AllowedScopes []string `json:"allowedScopes"`
|
||||
}
|
||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:categories=pinniped
|
||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||
// +kubebuilder:subresource:status
|
||||
type OIDCClient struct {
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package integration
|
||||
@ -53,6 +53,7 @@ func TestGetAPIResourceList(t *testing.T) {
|
||||
configConciergeGV := makeGV("config", "concierge")
|
||||
idpSupervisorGV := makeGV("idp", "supervisor")
|
||||
configSupervisorGV := makeGV("config", "supervisor")
|
||||
oauthSupervisorGV := makeGV("oauth", "supervisor")
|
||||
|
||||
tests := []struct {
|
||||
group metav1.APIGroup
|
||||
@ -143,6 +144,39 @@ func TestGetAPIResourceList(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
group: metav1.APIGroup{
|
||||
Name: oauthSupervisorGV.Group,
|
||||
Versions: []metav1.GroupVersionForDiscovery{
|
||||
{
|
||||
GroupVersion: oauthSupervisorGV.String(),
|
||||
Version: oauthSupervisorGV.Version,
|
||||
},
|
||||
},
|
||||
PreferredVersion: metav1.GroupVersionForDiscovery{
|
||||
GroupVersion: oauthSupervisorGV.String(),
|
||||
Version: oauthSupervisorGV.Version,
|
||||
},
|
||||
},
|
||||
resourceByVersion: map[string][]metav1.APIResource{
|
||||
oauthSupervisorGV.String(): {
|
||||
{
|
||||
Name: "oidcclients",
|
||||
SingularName: "oidcclient",
|
||||
Namespaced: true,
|
||||
Kind: "OIDCClient",
|
||||
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
|
||||
Categories: []string{"pinniped"},
|
||||
},
|
||||
{
|
||||
Name: "oidcclients/status",
|
||||
Namespaced: true,
|
||||
Kind: "OIDCClient",
|
||||
Verbs: []string{"get", "patch", "update"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
group: metav1.APIGroup{
|
||||
Name: idpSupervisorGV.Group,
|
||||
@ -484,10 +518,15 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) {
|
||||
{Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"},
|
||||
},
|
||||
},
|
||||
addSuffix("oidcclients.oauth.supervisor"): {
|
||||
"v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{
|
||||
{Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
actualPinnipedCRDCount := 0
|
||||
expectedPinnipedCRDCount := 7 // the current number of CRDs that we ship as part of Pinniped
|
||||
expectedPinnipedCRDCount := 8 // the current number of CRDs that we ship as part of Pinniped
|
||||
|
||||
for _, crd := range crdList.Items {
|
||||
if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user