Fix some disallowed kubebuilder annotations, fix kube api discovery test

Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Margo Crawford 2022-06-04 21:04:40 -07:00
parent cd47ba53c2
commit ca3da0bc90
18 changed files with 41 additions and 86 deletions

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -18,9 +18,6 @@ spec:
scope: Namespaced scope: Namespaced
versions: versions:
- additionalPrinterColumns: - additionalPrinterColumns:
- jsonPath: '{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}'
name: Privileged
type: boolean
- jsonPath: .metadata.creationTimestamp - jsonPath: .metadata.creationTimestamp
name: Age name: Age
type: date type: date
@ -60,7 +57,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedRedirectURIs: allowedRedirectURIs:
description: allowedRedirectURIs is a list of the allowed redirect_uri description: allowedRedirectURIs is a list of the allowed redirect_uri
param values that should be accepted during OIDC flows with this param values that should be accepted during OIDC flows with this
@ -70,7 +66,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
allowedScopes: allowedScopes:
description: "allowedScopes is a list of the allowed scopes param description: "allowedScopes is a list of the allowed scopes param
values that should be accepted during OIDC flows with this client. values that should be accepted during OIDC flows with this client.
@ -97,7 +92,6 @@ spec:
type: string type: string
minItems: 1 minItems: 1
type: array type: array
uniqueItems: true
required: required:
- allowedGrantTypes - allowedGrantTypes
- allowedRedirectURIs - allowedRedirectURIs

View File

@ -12,7 +12,6 @@ type OIDCClientSpec struct {
// allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this // allowedRedirectURIs is a list of the allowed redirect_uri param values that should be accepted during OIDC flows with this
// client. Any other uris will be rejected. // client. Any other uris will be rejected.
// Must be https, unless it is a loopback. // Must be https, unless it is a loopback.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedRedirectURIs []string `json:"allowedRedirectURIs"` AllowedRedirectURIs []string `json:"allowedRedirectURIs"`
@ -27,7 +26,6 @@ type OIDCClientSpec struct {
// - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange, // - urn:ietf:params:oauth:grant-type:token-exchange: allows the client to perform RFC8693 token exchange,
// which is a step in the process to be able to get a cluster credential for the user. // which is a step in the process to be able to get a cluster credential for the user.
// This grant must be listed if allowedScopes lists pinniped:request-audience. // This grant must be listed if allowedScopes lists pinniped:request-audience.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedGrantTypes []string `json:"allowedGrantTypes"` AllowedGrantTypes []string `json:"allowedGrantTypes"`
@ -47,7 +45,6 @@ type OIDCClientSpec struct {
// - groups: The client is allowed to request that ID tokens contain the user's group membership, // - groups: The client is allowed to request that ID tokens contain the user's group membership,
// if their group membership is discoverable by the Supervisor. // if their group membership is discoverable by the Supervisor.
// Without the groups scope being requested and allowed, the ID token will not contain groups. // Without the groups scope being requested and allowed, the ID token will not contain groups.
// +kubebuilder:validation:UniqueItems=true
// +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MinItems=1
AllowedScopes []string `json:"allowedScopes"` AllowedScopes []string `json:"allowedScopes"`
} }
@ -60,7 +57,6 @@ type OIDCClientStatus struct {
// +genclient // +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped // +kubebuilder:resource:categories=pinniped
// +kubebuilder:printcolumn:name="Privileged",type=boolean,JSONPath=`{range .spec.allowedScopes[?(@ == "pinniped:request-audience")]}{true}{end}{false}`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status // +kubebuilder:subresource:status
type OIDCClient struct { type OIDCClient struct {

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. // Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package integration package integration
@ -53,6 +53,7 @@ func TestGetAPIResourceList(t *testing.T) {
configConciergeGV := makeGV("config", "concierge") configConciergeGV := makeGV("config", "concierge")
idpSupervisorGV := makeGV("idp", "supervisor") idpSupervisorGV := makeGV("idp", "supervisor")
configSupervisorGV := makeGV("config", "supervisor") configSupervisorGV := makeGV("config", "supervisor")
oauthSupervisorGV := makeGV("oauth", "supervisor")
tests := []struct { tests := []struct {
group metav1.APIGroup group metav1.APIGroup
@ -143,6 +144,39 @@ func TestGetAPIResourceList(t *testing.T) {
}, },
}, },
}, },
{
group: metav1.APIGroup{
Name: oauthSupervisorGV.Group,
Versions: []metav1.GroupVersionForDiscovery{
{
GroupVersion: oauthSupervisorGV.String(),
Version: oauthSupervisorGV.Version,
},
},
PreferredVersion: metav1.GroupVersionForDiscovery{
GroupVersion: oauthSupervisorGV.String(),
Version: oauthSupervisorGV.Version,
},
},
resourceByVersion: map[string][]metav1.APIResource{
oauthSupervisorGV.String(): {
{
Name: "oidcclients",
SingularName: "oidcclient",
Namespaced: true,
Kind: "OIDCClient",
Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"},
Categories: []string{"pinniped"},
},
{
Name: "oidcclients/status",
Namespaced: true,
Kind: "OIDCClient",
Verbs: []string{"get", "patch", "update"},
},
},
},
},
{ {
group: metav1.APIGroup{ group: metav1.APIGroup{
Name: idpSupervisorGV.Group, Name: idpSupervisorGV.Group,
@ -484,10 +518,15 @@ func TestCRDAdditionalPrinterColumns_Parallel(t *testing.T) {
{Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"}, {Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"},
}, },
}, },
addSuffix("oidcclients.oauth.supervisor"): {
"v1alpha1": []apiextensionsv1.CustomResourceColumnDefinition{
{Name: "Age", Type: "date", JSONPath: ".metadata.creationTimestamp"},
},
},
} }
actualPinnipedCRDCount := 0 actualPinnipedCRDCount := 0
expectedPinnipedCRDCount := 7 // the current number of CRDs that we ship as part of Pinniped expectedPinnipedCRDCount := 8 // the current number of CRDs that we ship as part of Pinniped
for _, crd := range crdList.Items { for _, crd := range crdList.Items {
if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) { if !strings.Contains(crd.Spec.Group, env.APIGroupSuffix) {