Fix some disallowed kubebuilder annotations, fix kube api discovery test
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Margo Crawford
parent
cd47ba53c2
commit
ca3da0bc90
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -18,9 +18,6 @@ spec:
|
|||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
versions:
|
versions:
|
||||||
- additionalPrinterColumns:
|
- additionalPrinterColumns:
|
||||||
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
|
|
||||||
name: Privileged
|
|
||||||
type: boolean
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
- jsonPath: .metadata.creationTimestamp
|
||||||
name: Age
|
name: Age
|
||||||
type: date
|
type: date
|
||||||
@ -60,7 +57,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedRedirectURIs:
|
allowedRedirectURIs:
|
||||||
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
description: allowedRedirectURIs is a list of the allowed redirect_uri
|
||||||
param values that should be accepted during OIDC flows with this
|
param values that should be accepted during OIDC flows with this
|
||||||
@ -70,7 +66,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
allowedScopes:
|
allowedScopes:
|
||||||
description: "allowedScopes is a list of the allowed scopes param
|
description: "allowedScopes is a list of the allowed scopes param
|
||||||
values that should be accepted during OIDC flows with this client.
|
values that should be accepted during OIDC flows with this client.
|
||||||
@ -97,7 +92,6 @@ spec:
|
|||||||
type: string
|
type: string
|
||||||
minItems: 1
|
minItems: 1
|
||||||
type: array
|
type: array
|
||||||
uniqueItems: true
|
|
||||||
required:
|
required:
|
||||||
- allowedGrantTypes
|
- allowedGrantTypes
|
||||||
- allowedRedirectURIs
|
- allowedRedirectURIs
|
||||||
|
|||||||
@ -12,7 +12,6 @@ type OIDCClientSpec struct {
|
|||||||
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
|
||||||
// client. Any other uris will be rejected.
|
// client. Any other uris will be rejected.
|
||||||
// Must be https, unless it is a loopback.
|
// Must be https, unless it is a loopback.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
|
||||||
|
|
||||||
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
|
|||||||
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
|
||||||
// which is a step in the process to be able to get a cluster credential for the user.
|
// which is a step in the process to be able to get a cluster credential for the user.
|
||||||
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
// This grant must be listed if allowedScopes lists pinniped:request-audience.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
AllowedGrantTypes []string `json:"allowedGrantTypes"`
|
||||||
|
|
||||||
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
|
|||||||
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
// - groups: The client is allowed to request that ID tokens contain the user's group membership,
|
||||||
// if their group membership is discoverable by the Supervisor.
|
// if their group membership is discoverable by the Supervisor.
|
||||||
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
// Without the groups scope being requested and allowed, the ID token will not contain groups.
|
||||||
// +kubebuilder:validation:UniqueItems=true
|
|
||||||
// +kubebuilder:validation:MinItems=1
|
// +kubebuilder:validation:MinItems=1
|
||||||
AllowedScopes []string `json:"allowedScopes"`
|
AllowedScopes []string `json:"allowedScopes"`
|
||||||
}
|
}
|
||||||
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
|
|||||||
// +genclient
|
// +genclient
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:categories=pinniped
|
// +kubebuilder:resource:categories=pinniped
|
||||||
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
|
|
||||||
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
|
||||||
// +kubebuilder:subresource:status
|
// +kubebuilder:subresource:status
|
||||||
type OIDCClient struct {
|
type OIDCClient struct {
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package integration
|
package integration
|
||||||
@ -53,6 +53,7 @@ func TestGetAPIResourceList(t *testing.T) {
|
|||||||
configConciergeGV := makeGV("config", "concierge")
|
configConciergeGV := makeGV("config", "concierge")
|
||||||
idpSupervisorGV := makeGV("idp", "supervisor")
|
idpSupervisorGV := makeGV("idp", "supervisor")
|
||||||
configSupervisorGV := makeGV("config", "supervisor")
|
configSupervisorGV := makeGV("config", "supervisor")
|
||||||
|
oauthSupervisorGV := makeGV("oauth", "supervisor")
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
group metav1.APIGroup
|
group metav1.APIGroup
|
||||||
@ -143,6 +144,39 @@ func TestGetAPIResourceList(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
group: metav1.APIGroup{
|
||||||
|
Name: oauthSupervisorGV.Group,
|
||||||
|
Versions: []metav1.GroupVersionForDiscovery{
|
||||||
|
{
|
||||||
|
GroupVersion: oauthSupervisorGV.String(),
|
||||||
|
Version: oauthSupervisorGV.Version,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
PreferredVersion: metav1.GroupVersionForDiscovery{
|
||||||
|
GroupVersion: oauthSupervisorGV.String(),
|
||||||
|
Version: oauthSupervisorGV.Version,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
resourceByVersion: map[string][]metav1.APIResource{
|
||||||
|
oauthSupervisorGV.String(): {
|
||||||
|
{
|
||||||
|
Name: "oidcclients",
|
||||||
|
SingularName: "oidcclient",
|
||||||
|
Namespaced: true,
|
||||||
|
Kind: "OIDCClient",
|
||||||
|
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
|
||||||
|
Categories: []string{"pinniped"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "oidcclients/status",
|
||||||
|
Namespaced: true,
|
||||||
|
Kind: "OIDCClient",
|
||||||
|
Verbs: []string{"get", "patch", "update"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
group: metav1.APIGroup{
|
group: metav1.APIGroup{
|
||||||
Name: idpSupervisorGV.Group,
|
Name: idpSupervisorGV.Group,
|
||||||
@ -484,10 +518,15 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) {
|
|||||||
{Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"},
|
{Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
addSuffix("oidcclients.oauth.supervisor"): {
|
||||||
|
"v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{
|
||||||
|
{Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
actualPinnipedCRDCount := 0
|
actualPinnipedCRDCount := 0
|
||||||
expectedPinnipedCRDCount := 7 // the current number of CRDs that we ship as part of Pinniped
|
expectedPinnipedCRDCount := 8 // the current number of CRDs that we ship as part of Pinniped
|
||||||
|
|
||||||
for _, crd := range crdList.Items {
|
for _, crd := range crdList.Items {
|
||||||
if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) {
|
if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user