From ca3da0bc90e073693c999e7a5c10f2d7ad00a3eb Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Sat, 4 Jun 2022 21:04:40 -0700 Subject: [PATCH] Fix some disallowed kubebuilder annotations, fix kube api discovery test Signed-off-by: Margo Crawford --- .../oauth/v1alpha1/types_oidcclient.go.tmpl | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- ...h.supervisor.pinniped.dev_oidcclients.yaml | 6 --- .../oauth/v1alpha1/types_oidcclient.go | 4 -- test/integration/kube_api_discovery_test.go | 43 ++++++++++++++++++- 18 files changed, 41 insertions(+), 86 deletions(-) diff --git a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl index ee125443..abae5f2c 100644 --- a/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl +++ b/apis/supervisor/oauth/v1alpha1/types_oidcclient.go.tmpl @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/deploy/supervisor/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.17/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.17/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.18/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.18/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.19/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.19/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.20/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.20/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.21/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.21/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.22/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.22/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/1.23/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml index 0b4ee157..e5b2d932 100644 --- a/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml +++ b/generated/1.23/crds/oauth.supervisor.pinniped.dev_oidcclients.yaml @@ -18,9 +18,6 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}' - name: Privileged - type: boolean - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -60,7 +57,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedRedirectURIs: description: allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this @@ -70,7 +66,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true allowedScopes: description: "allowedScopes is a list of the allowed scopes param values that should be accepted during OIDC flows with this client. @@ -97,7 +92,6 @@ spec: type: string minItems: 1 type: array - uniqueItems: true required: - allowedGrantTypes - allowedRedirectURIs diff --git a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go index ee125443..abae5f2c 100644 --- a/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go +++ b/generated/latest/apis/supervisor/oauth/v1alpha1/types_oidcclient.go @@ -12,7 +12,6 @@ type OIDCClientSpec struct { // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // client. Any other uris will be rejected. // Must be https, unless it is a loopback. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedRedirectURIs []string `json:"allowedRedirectURIs"` @@ -27,7 +26,6 @@ type OIDCClientSpec struct { // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // which is a step in the process to be able to get a cluster credential for the user. // This grant must be listed if allowedScopes lists pinniped:request-audience. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedGrantTypes []string `json:"allowedGrantTypes"` @@ -47,7 +45,6 @@ type OIDCClientSpec struct { // - groups: The client is allowed to request that ID tokens contain the user's group membership, // if their group membership is discoverable by the Supervisor. // Without the groups scope being requested and allowed, the ID token will not contain groups. - // +kubebuilder:validation:UniqueItems=true // +kubebuilder:validation:MinItems=1 AllowedScopes []string `json:"allowedScopes"` } @@ -60,7 +57,6 @@ type OIDCClientStatus struct { // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:categories=pinniped -// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:subresource:status type OIDCClient struct { diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index eec88808..c0d243cf 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration @@ -53,6 +53,7 @@ func TestGetAPIResourceList(t *testing.T) { configConciergeGV := makeGV("config", "concierge") idpSupervisorGV := makeGV("idp", "supervisor") configSupervisorGV := makeGV("config", "supervisor") + oauthSupervisorGV := makeGV("oauth", "supervisor") tests := []struct { group metav1.APIGroup @@ -143,6 +144,39 @@ func TestGetAPIResourceList(t *testing.T) { }, }, }, + { + group: metav1.APIGroup{ + Name: oauthSupervisorGV.Group, + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: oauthSupervisorGV.String(), + Version: oauthSupervisorGV.Version, + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: oauthSupervisorGV.String(), + Version: oauthSupervisorGV.Version, + }, + }, + resourceByVersion: map[string][]metav1.APIResource{ + oauthSupervisorGV.String(): { + { + Name: "oidcclients", + SingularName: "oidcclient", + Namespaced: true, + Kind: "OIDCClient", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + Categories: []string{"pinniped"}, + }, + { + Name: "oidcclients/status", + Namespaced: true, + Kind: "OIDCClient", + Verbs: []string{"get", "patch", "update"}, + }, + }, + }, + }, { group: metav1.APIGroup{ Name: idpSupervisorGV.Group, @@ -484,10 +518,15 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) { {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, }, }, + addSuffix("oidcclients.oauth.supervisor"): { + "v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{ + {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, + }, + }, } actualPinnipedCRDCount := 0 - expectedPinnipedCRDCount := 7 // the current number of CRDs that we ship as part of Pinniped + expectedPinnipedCRDCount := 8 // the current number of CRDs that we ship as part of Pinniped for _, crd := range crdList.Items { if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) {